Edit tour

Windows Analysis Report
Recorder_System_v1.10.0048.exe

Overview

General Information

Sample name:	Recorder_System_v1.10.0048.exe
Analysis ID:	1432274
MD5:	a9042018e74f1fc91ebfc730a295c9b4
SHA1:	f8c642249bad0286b7d61867c1bb633a6c991608
SHA256:	5ffe4b15c63ad89d31c155585fae5a7a95cdd77b2300329b5c5a1a400b087541
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Antivirus detection for URL or domain

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

System is w10x64

Recorder_System_v1.10.0048.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe" MD5: A9042018E74F1FC91EBFC730A295C9B4)

Recorder_System_v1.10.0048.tmp (PID: 6712 cmdline: "C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp" /SL5="$402A6,102473945,718848,C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe" MD5: 1F06960E3F2EEB78A46C85642496CA37)

powershell.exe (PID: 5684 cmdline: "powershell" Set-Executionpolicy remotesigned -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Recorder System.exe (PID: 5676 cmdline: "C:\Program Files (x86)\Recorder System\Recorder System.exe" MD5: BE6CC65866AA027B96D3859D32095508)

QtWebEngineProcess.exe (PID: 2500 cmdline: "C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe" --type=renderer --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --use-gl=angle --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,BlinkGenPropertyTrees,MojoVideoCapture,NetworkServiceNotSupported,OriginTrials,SmsReceiver,UsePdfCompositorServiceForPrint,UseSurfaceLayerForVideo,VizDisplayCompositor,WebAuthentication,WebAuthenticationCable,WebPayments,WebUSB --lang=en-CH --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11831953104643474927 --renderer-client-id=3 --mojo-platform-channel-handle=3536 /prefetch:1 MD5: 3288E9408352FFB05063B27028456E1B)

powershell.exe (PID: 5680 cmdline: powershell -file C:/Users/user/AppData/Local/official-recorder/temp/gpu.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6624 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WmiApSrv.exe (PID: 7088 cmdline: C:\Windows\system32\wbem\WmiApSrv.exe MD5: 9A48D32D7DBA794A40BF030DA500603B)

cleanup

Sigma Signatures

System Summary

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" Set-Executionpolicy remotesigned -Force, CommandLine: "powershell" Set-Executionpolicy remotesigned -Force, CommandLine|base64offset|contains: I~%, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp" /SL5="$402A6,102473945,718848,C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp, ParentProcessId: 6712, ParentProcessName: Recorder_System_v1.10.0048.tmp, ProcessCommandLine: "powershell" Set-Executionpolicy remotesigned -Force, ProcessId: 5684, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6624, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Source: Recorder_System_v1.10.0048.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Kiloview End User License Agreement of Kiloview NDI RecorderThis Kiloview End User License Agreement of Kiloview NDI Recorder (here after called "EULA" or "the license agreement") is made available by Changsha KILOVIEW Electronics CO. LTD. (here after called "Kiloview"). If you are the direct user of Kiloview NDI Recorder please read this EULA carefully before you use them as it governs your use of the Software.You shall also be aware that the Software and all copyrights patents trademarks trade secrets and other intellectual property rights associated therewith are and shall remain the property of Kiloview. Furthermore the User acknowledges and agrees that the source and object code of the Software and the format directories queries algorithms structure and organization of the Software are the intellectual property and proprietary and confidential information of Kiloview and its affiliates licensors and suppliers. Nothing in this EULA shall give to the User or any other person any right to access or use the Source Code or constitute any license of the Source Code. Except as expressly stated in this License the User is not granted any intellectual property rights in or to the Software by implication estoppel or other legal theory and all rights in and to the Software not expressly granted in this License are hereby reserved and retained by Kiloview.In the course of building and using the Software you may provide Kiloview with such personal data like first name last name email address company name etc. The information will be used to contact or identify you and to smooth your registration by sending verification code and provide or offer software updates and instructions. We will not send you advertising information nor will we disclose your personal data.Personal Data is or may be used for the following purposes: (a) to provide and improve the Software Content Services and other features and content offered by Kiloview (b) to administer the use of the Software (c) to fulfill requests the User may make (d) to and (e) to provide the User with further information and offers from Kiloview that we believe you may find useful or interesting including newsletters marketing or promotional materials and other information on services and products offered by Kiloview.Definitions"Software" refers to a NDI Recorder designed and developed by Kiloview for all NDI sources.Grant of LicenseUpon your use and purchase of Kiloview NDI Recorder you are granted to use the software under the terms of this EULA.Restrictions on Use1. You shall use the Software strictly in accordance to the terms herein and during or after the term you shall not: a) modify sell transfer resell for profits distribute or create derivative work based on the Software or any part
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Kiloview End User License Agreement of Kiloview NDI RecorderThis Kiloview End User License Agreement of Kiloview NDI Recorder (here after called "EULA" or "the license agreement") is made available by Changsha KILOVIEW Electronics CO. LTD. (here after called "Kiloview"). If you are the direct user of Kiloview NDI Recorder please read this EULA carefully before you use them as it governs your use of the Software.You shall also be aware that the Software and all copyrights patents trademarks trade secrets and other intellectual property rights associated therewith are and shall remain the property of Kiloview. Furthermore the User acknowledges and agrees that the source and object code of the Software and the format directories queries algorithms structure and organization of the Software are the intellectual property and proprietary and confidential information of Kiloview and its affiliates licensors and suppliers. Nothing in this EULA shall give to the User or any other person any right to access or use the Source Code or constitute any license of the Source Code. Except as expressly stated in this License the User is not granted any intellectual property rights in or to the Software by implication estoppel or other legal theory and all rights in and to the Software not expressly granted in this License are hereby reserved and retained by Kiloview.In the course of building and using the Software you may provide Kiloview with such personal data like first name last name email address company name etc. The information will be used to contact or identify you and to smooth your registration by sending verification code and provide or offer software updates and instructions. We will not send you advertising information nor will we disclose your personal data.Personal Data is or may be used for the following purposes: (a) to provide and improve the Software Content Services and other features and content offered by Kiloview (b) to administer the use of the Software (c) to fulfill requests the User may make (d) to and (e) to provide the User with further information and offers from Kiloview that we believe you may find useful or interesting including newsletters marketing or promotional materials and other information on services and products offered by Kiloview.Definitions"Software" refers to a NDI Recorder designed and developed by Kiloview for all NDI sources.Grant of LicenseUpon your use and purchase of Kiloview NDI Recorder you are granted to use the software under the terms of this EULA.Restrictions on Use1. You shall use the Software strictly in accordance to the terms herein and during or after the term you shall not: a) modify sell transfer resell for profits distribute or create derivative work based on the Software or any part

Source: Recorder_System_v1.10.0048.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: Recorder_System_v1.10.0048.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_hangul.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_pinyin.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb<< source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_thai.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_tcime.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_pinyin.pdb11 source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_tcime.pdb&& source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Base	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Base\ButtonStyle.qmlc	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick\Controls	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System	Jump to behavior

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: global traffic

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A4109000CC6X-BM-CBT: 1696420817X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 60X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 0912CF9094994CFA88DE52C6FB19D4E1X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109000CC6X-MSEdge-ExternalExp: bfbwsbrs0830tf,d-thshldspcl40,msbdsborgv2co,msbwdsbi920t1,spofglclicksh-c2,webtophit0r_t,wsbmsaqfuxtc,wsbqfasmsall_t,wsbqfminiserp400,wsbref-tX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2237Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=6666694284484FA1B35CCB433D42E997; _SS=SID=193A581F83766B4319784BBF829B6A16&CPID=1696420820117&AC=1&CPH=e5c79613&CBV=39942242; _EDGE_S=SID=193A581F83766B4319784BBF829B6A16; SRCHUID=V=2&GUID=BA43D82178364AEA9C1EE6C32BE93416&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231003; SRCHHPGUSR=SRCHLANG=en&LUT=1696420817741&IPMH=425591ef&IPMID=1696420817913&HV=1696417346; ANON=A=6D8F9DF00282E660E425530EFFFFFFFF; CortanaAppUID=4C9C2B2D0465FD7A42C74C7E93CFB630; MUIDB=6666694284484FA1B35CCB433D42E997

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.6.162
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.6.162
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.103.43
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.103.43
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=65Oa4kKcCE2B2pL&MD=WhAthezU HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=65Oa4kKcCE2B2pL&MD=WhAthezU HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: unknown

Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/2
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/=1
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/K
Source: Recorder System.exe, 00000008.00000003.3352744268.0000020128200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/auth/get.json
Source: Recorder System.exe, 00000008.00000003.3236601604.00000201274F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/diff.json
Source: Recorder System.exe, 00000008.00000003.3236601604.00000201274F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/diff.json8
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/diff.jsonH
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/diff.jsonKq&
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/get.json
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/get.json1
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/get.json:65534/
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/get.jsonL
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/get.jsonl
Source: Recorder System.exe, 00000008.00000003.3236601604.00000201274F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/output/get.json?project_id=1
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/output/get.json?project_id=1E
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/output/get.json?project_id=1KX
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/output/get.json?project_id=1~
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/performance/getSys.json
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/performance/getSys.json%
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/performance/getSys.json.1:65534/u
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/performance/getSys.jsonid=1
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/performance/getSys.jsonnP
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/project/getList.json
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/record/get.json?project_id=1
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/record/get.json?project_id=1_
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/record/get.json?project_id=1er
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/record/get.json?project_id=1s
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/source/get.json
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/storage/getAvailable.json
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/storage/getAvailable.jsonhtml?output=1
Source: Recorder System.exe, 00000008.00000003.3311842712.00000201285B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/storage/getDeviceList.json
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/storage/getDeviceList.json0I
Source: Recorder System.exe, 00000008.00000003.3311842712.00000201285B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/storage/getDeviceList.json8
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/storage/getDeviceList.jsonn
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1
Source: Recorder System.exe, 00000008.00000003.2910001985.0000020127483000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2929949341.0000020127483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/home
Source: Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2993437399.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/home&Array.isArray(e)?d(t
Source: Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2993437399.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/home)
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/homeT
Source: Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2993437399.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/homea
Source: Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/homeatch(t)
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/homedex.html?output=1
Source: Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2993437399.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/homet)
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1&
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1534/
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1G
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1calX
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1id=1
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1json
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1l
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1lX
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/lang/en.json
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/lang/en.json(
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/lang/en.jsontput=1
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/lang/en.jsontput=1=1
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/static/favicon.png
Source: Recorder System.exe, 00000008.00000003.3225818355.0000020128239000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3377926199.0000020128200000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3256437375.0000020128239000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3279634870.0000020128200000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3352744268.0000020128200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://17.0.0.165534/index.html?output=1
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/chromium/issues/entry
Source: powershell.exe, 00000006.00000002.2953345209.000001A0F8D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000006.00000002.2958676236.000001A0F90D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000006.00000002.2959404528.000001A0F9102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000006.00000002.2959404528.000001A0F9102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic4
Source: powershell.exe, 00000006.00000002.2959404528.000001A0F9102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micP
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: powershell.exe, 00000006.00000002.2858291908.000001A0819B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://primer.com
Source: powershell.exe, 00000006.00000002.2858291908.000001A08092E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000006.00000002.2858291908.000001A080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2858291908.000001A08092E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786143348.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://skygz.taobao.com
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://t2.symcb.com0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786143348.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.innosetup.com
Source: Recorder_System_v1.10.0048.exe, 00000000.00000000.1783171187.00000000004B7000.00000002.00000001.01000000.00000003.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.2757737505.0000000002306000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786730697.0000000000668000.00000002.00000001.01000000.00000004.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000003.2723283541.0000000002426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kiloview.com/
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1783507148.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000003.1787745486.0000000003530000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kiloview.com/0http://www.kiloview.com/0http://www.kiloview.com/0http://www.kiloview.com/
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2723283541.0000000002426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kiloview.com/9jB
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.2757737505.0000000002306000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kiloview.com/Ah0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2723283541.0000000002426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kiloview.com/aiB
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786143348.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786143348.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.skygz.com
Source: powershell.exe, 00000006.00000002.2858291908.000001A080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2956344021.000001A0F8EB0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2858291908.000001A081312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2858291908.000001A08162A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000006.00000002.2858291908.000001A08162A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=pt-BRAtalho
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=pt-PTAtalho
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=roComanda
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ru
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=skSkratka
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=slBli
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=sr
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=svGenv
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=swUmeondoa
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=te
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=th
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=trK
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=uk
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=vi
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW
Source: powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Recorder System.exe, 00000008.00000003.2796730525.00000201276F1000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2797215811.0000020127841000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2799992939.00000201276FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: powershell.exe, 00000006.00000002.2858291908.000001A08162A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.2858291908.000001A0819B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.com
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comConta
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comContul
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comGoogle
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comGoogle-kontoSparade
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comKonta
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comT
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://primer.com.Uporaba
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=pt-BR
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=pt-PT
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=ro
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=ru
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=sk
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=sl
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=sr
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=sv
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=sw
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=te
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=th
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=tr
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=uk
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=vi
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=zh-CN
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=zh-TW
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/cloudprint/answer/2541843
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com$1
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/cloudprint#jobs
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comC
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comPesquisa
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comT
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comVyh
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comWyszukiwarka
Source: Recorder_System_v1.10.0048.exe, 00000000.00000000.1783068315.0000000000401000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49742 version: TLS 1.2

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Recorder_System_v1.10.0048.exe

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe

File created: C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.sys

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9BADB772	12_2_00007FFD9BADB772
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9BADA9C6	12_2_00007FFD9BADA9C6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9BADA4C9	12_2_00007FFD9BADA4C9

Source: Recorder_System_v1.10.0048.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-MNRBK.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: is-3SREB.tmp.1.dr	Static PE information: Number of sections : 17 > 10
Source: is-RTIAS.tmp.1.dr	Static PE information: Number of sections : 12 > 10
Source: is-PN0JG.tmp.1.dr	Static PE information: Number of sections : 12 > 10
Source: is-1NU94.tmp.1.dr	Static PE information: Number of sections : 12 > 10
Source: is-5LL7O.tmp.1.dr	Static PE information: Number of sections : 12 > 10

Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.2757737505.00000000022E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs Recorder_System_v1.10.0048.exe
Source: Recorder_System_v1.10.0048.exe, 00000000.00000000.1783171187.00000000004B7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Recorder_System_v1.10.0048.exe
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Recorder_System_v1.10.0048.exe
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Recorder_System_v1.10.0048.exe

Source: Recorder_System_v1.10.0048.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: sus36.evad.winEXE@15/2038@0/3

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp

File created: C:\Program Files (x86)\Recorder System

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Mutant created: \Sessions\1\BaseNamedObjects\NewTek_AirPlay_UdpPingMutex
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Access_ISABUS.HTP.Method
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3896:120:WilError_03
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Mutant created: \Sessions\1\BaseNamedObjects\NewTek_AirPlay_UdpSendMutex
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Access_PCI
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex

Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe

File created: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe

File read: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe "C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe"
Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Process created: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp "C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp" /SL5="$402A6,102473945,718848,C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe"
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Set-Executionpolicy remotesigned -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process created: C:\Program Files (x86)\Recorder System\Recorder System.exe "C:\Program Files (x86)\Recorder System\Recorder System.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process created: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe "C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe" --type=renderer --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --use-gl=angle --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,BlinkGenPropertyTrees,MojoVideoCapture,NetworkServiceNotSupported,OriginTrials,SmsReceiver,UsePdfCompositorServiceForPrint,UseSurfaceLayerForVideo,VizDisplayCompositor,WebAuthentication,WebAuthenticationCable,WebPayments,WebUSB --lang=en-CH --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11831953104643474927 --renderer-client-id=3 --mojo-platform-channel-handle=3536 /prefetch:1
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -file C:/Users/user/AppData/Local/official-recorder/temp/gpu.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Process created: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp "C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp" /SL5="$402A6,102473945,718848,C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Set-Executionpolicy remotesigned -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process created: C:\Program Files (x86)\Recorder System\Recorder System.exe "C:\Program Files (x86)\Recorder System\Recorder System.exe"	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process created: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe "C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe" --type=renderer --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --use-gl=angle --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,BlinkGenPropertyTrees,MojoVideoCapture,NetworkServiceNotSupported,OriginTrials,SmsReceiver,UsePdfCompositorServiceForPrint,UseSurfaceLayerForVideo,VizDisplayCompositor,WebAuthentication,WebAuthenticationCable,WebPayments,WebUSB --lang=en-CH --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11831953104643474927 --renderer-client-id=3 --mojo-platform-channel-handle=3536 /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -file C:/Users/user/AppData/Local/official-recorder/temp/gpu.ps1	Jump to behavior

Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: processing.ndi.lib.x64.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5httpserver.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: libcrypto-1_1-x64.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5webengine.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5quick.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5multimedia.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5qml.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5websockets.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: classlibrary3.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5sslserverd.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5websockets.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5webenginecore.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5quick.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5webchannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5qml.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5qmlmodels.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5network.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5networkd.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5cored.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140d.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: ucrtbased.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5cored.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: msvcp140d.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140d.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: ucrtbased.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: msvcp140d.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140d.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: ucrtbased.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: ucrtbased.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5positioning.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dxva2.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140_1d.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: libegl.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: libglesv2.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5svg.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: processing.ndi.lib.advanced.x64.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: avformat-59.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: avcodec-59.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: avutil-57.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: avcodec-59.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: avutil-57.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: avutil-57.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: swresample-4.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: libssl-1_1-x64.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: libssl-1_1-x64.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: processing.ndi.plugins.ipcam.x64.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5qmlworkerscript.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5quicktemplates2.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: qt5quickcontrols2.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: mfreadwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: mfcaptureengine.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dsound.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: quartz.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: windows.devices.enumeration.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: ddores.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: defaultdevicemanager.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: comppkgsup.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: mfh264enc.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: windows.media.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5core.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5webenginecore.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5quick.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5gui.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5webchannel.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5qml.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5network.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5positioning.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: d3d9.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: dxva2.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: hid.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5qmlmodels.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5qml.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5gui.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5network.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5qml.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: qt5network.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msscntrs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasctrs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: tapiperf.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: usbperf.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wbem\WmiApSrv.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiApSrv.exe	Section loaded: loadperf.dll
Source: C:\Windows\System32\wbem\WmiApSrv.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiApSrv.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WmiApSrv.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiApSrv.exe	Section loaded: profapi.dll

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Recorder System.lnk.1.dr

LNK file: ..\..\..\..\..\Program Files (x86)\Recorder System\Recorder System.exe

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp

File written: C:\Program Files (x86)\Recorder System\data\lang.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Kiloview End User License Agreement of Kiloview NDI RecorderThis Kiloview End User License Agreement of Kiloview NDI Recorder (here after called "EULA" or "the license agreement") is made available by Changsha KILOVIEW Electronics CO. LTD. (here after called "Kiloview"). If you are the direct user of Kiloview NDI Recorder please read this EULA carefully before you use them as it governs your use of the Software.You shall also be aware that the Software and all copyrights patents trademarks trade secrets and other intellectual property rights associated therewith are and shall remain the property of Kiloview. Furthermore the User acknowledges and agrees that the source and object code of the Software and the format directories queries algorithms structure and organization of the Software are the intellectual property and proprietary and confidential information of Kiloview and its affiliates licensors and suppliers. Nothing in this EULA shall give to the User or any other person any right to access or use the Source Code or constitute any license of the Source Code. Except as expressly stated in this License the User is not granted any intellectual property rights in or to the Software by implication estoppel or other legal theory and all rights in and to the Software not expressly granted in this License are hereby reserved and retained by Kiloview.In the course of building and using the Software you may provide Kiloview with such personal data like first name last name email address company name etc. The information will be used to contact or identify you and to smooth your registration by sending verification code and provide or offer software updates and instructions. We will not send you advertising information nor will we disclose your personal data.Personal Data is or may be used for the following purposes: (a) to provide and improve the Software Content Services and other features and content offered by Kiloview (b) to administer the use of the Software (c) to fulfill requests the User may make (d) to and (e) to provide the User with further information and offers from Kiloview that we believe you may find useful or interesting including newsletters marketing or promotional materials and other information on services and products offered by Kiloview.Definitions"Software" refers to a NDI Recorder designed and developed by Kiloview for all NDI sources.Grant of LicenseUpon your use and purchase of Kiloview NDI Recorder you are granted to use the software under the terms of this EULA.Restrictions on Use1. You shall use the Software strictly in accordance to the terms herein and during or after the term you shall not: a) modify sell transfer resell for profits distribute or create derivative work based on the Software or any part
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Kiloview End User License Agreement of Kiloview NDI RecorderThis Kiloview End User License Agreement of Kiloview NDI Recorder (here after called "EULA" or "the license agreement") is made available by Changsha KILOVIEW Electronics CO. LTD. (here after called "Kiloview"). If you are the direct user of Kiloview NDI Recorder please read this EULA carefully before you use them as it governs your use of the Software.You shall also be aware that the Software and all copyrights patents trademarks trade secrets and other intellectual property rights associated therewith are and shall remain the property of Kiloview. Furthermore the User acknowledges and agrees that the source and object code of the Software and the format directories queries algorithms structure and organization of the Software are the intellectual property and proprietary and confidential information of Kiloview and its affiliates licensors and suppliers. Nothing in this EULA shall give to the User or any other person any right to access or use the Source Code or constitute any license of the Source Code. Except as expressly stated in this License the User is not granted any intellectual property rights in or to the Software by implication estoppel or other legal theory and all rights in and to the Software not expressly granted in this License are hereby reserved and retained by Kiloview.In the course of building and using the Software you may provide Kiloview with such personal data like first name last name email address company name etc. The information will be used to contact or identify you and to smooth your registration by sending verification code and provide or offer software updates and instructions. We will not send you advertising information nor will we disclose your personal data.Personal Data is or may be used for the following purposes: (a) to provide and improve the Software Content Services and other features and content offered by Kiloview (b) to administer the use of the Software (c) to fulfill requests the User may make (d) to and (e) to provide the User with further information and offers from Kiloview that we believe you may find useful or interesting including newsletters marketing or promotional materials and other information on services and products offered by Kiloview.Definitions"Software" refers to a NDI Recorder designed and developed by Kiloview for all NDI sources.Grant of LicenseUpon your use and purchase of Kiloview NDI Recorder you are granted to use the software under the terms of this EULA.Restrictions on Use1. You shall use the Software strictly in accordance to the terms herein and during or after the term you shall not: a) modify sell transfer resell for profits distribute or create derivative work based on the Software or any part

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Recorder_System_v1.10.0048.exe

Static PE information: certificate valid

Source: Recorder_System_v1.10.0048.exe

Static file information: File size 103244216 > 1048576

Source: Recorder_System_v1.10.0048.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_hangul.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_pinyin.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb<< source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_thai.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_tcime.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_pinyin.pdb11 source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_tcime.pdb&& source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp

Source: is-J7HE7.tmp.1.dr

Static PE information: 0xD13A41F1 [Wed Mar 26 23:08:33 2081 UTC]

Source: is-TU764.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x444f6
Source: is-Q5FKQ.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x2e387
Source: is-MNRBK.tmp.1.dr	Static PE information: real checksum: 0x27437c should be: 0x27ab3b
Source: Recorder_System_v1.10.0048.tmp.0.dr	Static PE information: real checksum: 0x27437c should be: 0x26cf9f
Source: is-J7HE7.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x18b2
Source: is-804L0.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x1a6ea
Source: is-83BH1.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x3515c4
Source: is-SHFJV.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x5a6e9

Source: Recorder_System_v1.10.0048.exe	Static PE information: section name: .didata
Source: Recorder_System_v1.10.0048.tmp.0.dr	Static PE information: section name: .didata
Source: is-MNRBK.tmp.1.dr	Static PE information: section name: .didata
Source: is-RTIAS.tmp.1.dr	Static PE information: section name: .xdata
Source: is-1NU94.tmp.1.dr	Static PE information: section name: .xdata
Source: is-EUM4R.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-UI7R7.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-E91NQ.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-JD84L.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-4OUCQ.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-TIBQQ.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-MBHPB.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-GE8FV.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-MH0HG.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-F27G2.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /4
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /19
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /31
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /45
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /57
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /70
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /81
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /92
Source: is-S4J4O.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-N1301.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-G8AU8.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-5FVBS.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-MP9MT.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-0HJJO.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-AJ66B.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-MJI5C.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-DRGH1.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-EFF43.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-D9NLO.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-8H8RT.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-VGKVT.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-CQUNS.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-CUVSA.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-08QUI.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-K2N1T.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-R5K5O.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-THCCM.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-OH7NK.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-PQ3NI.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-K7O5H.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-N8GIK.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-EADOB.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-KMNA3.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-KV5D3.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-4IBFD.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-0QFR5.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-VKBN9.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-CKTA5.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-T1S7O.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-LT1NT.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-VCRLV.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-G1MA9.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-PN0JG.tmp.1.dr	Static PE information: section name: .xdata
Source: is-5LL7O.tmp.1.dr	Static PE information: section name: .xdata
Source: is-Q5FKQ.tmp.1.dr	Static PE information: section name: .nep
Source: is-804L0.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-83BH1.tmp.1.dr	Static PE information: section name: .00cfg
Source: is-T9U84.tmp.1.dr	Static PE information: section name: .didat
Source: is-F4125.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-SIQ9G.tmp.1.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9BAD2B14 push eax; iretd		12_2_00007FFD9BAD2B41
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9BAD8615 push ebx; retf 0009h		12_2_00007FFD9BAD877A

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_local.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x86\is-BIPF8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-G8AU8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\msvcp140d.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-4U359.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\styles\is-E91NQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-6C5RI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-9335K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5Gui.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\ucrtbased.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\position\is-PQ3NI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\playlistformats\is-THCCM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x64\Record.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\platforms\is-R5K5O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\is-4IBFD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\vcruntime140_app.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\is-KMNA3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-EALVR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\avutil-57.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\scenegraph\is-UI7R7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\is-T1S7O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\swresample-4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtWebEngine\is-MH0HG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5Quick.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-5ICT0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.sys (copy)
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_preview.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\position\is-K7O5H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-0L3BH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\bearer\qgenericbearer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-3UTOM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQml\Models.2\is-PKGVS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\styles\qwindowsvistastyle.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N1VOU.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\virtualkeyboard\is-MP9MT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\playlistformats\qtmultimedia_m3u.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\position\qtposition_winrt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Layouts\is-JD84L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-SHFJV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-F3CEC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt\labs\folderlistmodel\is-G1MA9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5Svg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-V6SB1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-6OI4S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x86\NewTek NDI Record.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\bin\disk\libstdc++-6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\bin\disk\is-3SREB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-GPGMO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Window.2\windowplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-83BH1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-PN0JG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-MNRBK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Processing.NDI.Lib.x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5Cored.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtGraphicalEffects\private\qtgraphicaleffectsprivate.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQml\RemoteObjects\is-6KIDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-SIQ9G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\bin\disk\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\is-VKBN9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Flat\qtquickextrasflatplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\dialogplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x64\is-DFN06.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5Multimedia.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\virtualkeyboard\is-5FVBS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\bin\disk\is-TU764.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5RemoteObjects.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5WebChannel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-61F2F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\audio\is-V9O52.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-85FK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick.2\is-GE8FV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5WebEngineCore.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\avformat-59.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x64\is-8H8RT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Imagine\is-F27G2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Templates.2\qtquicktemplates2plugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5QuickTemplates2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5SslServer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-3GE9B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\position\is-OH7NK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\is-0QFR5.tmp	Jump to dropped file
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File created: C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-U1B79.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5SerialPort.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\libcrypto-1_1-x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Universal\is-EFF43.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-6544C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\vcruntime140_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtWebEngine\qtwebengineplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\is-EADOB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Extras\is-EUM4R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\is-LT1NT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x64\is-VGKVT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-T9U84.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\avcodec-59.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5Widgets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\bin\disk\a.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x64\is-D9NLO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_profiler.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt\labs\settings\is-F4125.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\ClassLibrary2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-TRR89.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Material\is-AJ66B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\iconengines\qsvgicon.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\is-KV5D3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\crashdump.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Material\qtquickcontrols2materialstyleplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_tcp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\virtualkeyboard\is-N1301.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Recorder System.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-5C7MQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\iconengines\is-H1PR9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Imagine\qtquickcontrols2imaginestyleplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5HttpServer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-G3KAI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\is-CQUNS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-7UJLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\is-N8GIK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\ClassLibrary3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-LS77V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\virtualkeyboard\is-S4J4O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-GFNU0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\vc_redist.x64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\scenegraph\qsgd3d12backend.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-A78JG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\virtualkeyboard\is-0HJJO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5WebSockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-CCV2G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5QmlWorkerScript.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Templates.2\is-TIBQQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-20MOV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_server.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-L3NQ9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-PD6L0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5Network.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\libGLESV2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5SslServerd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\is-CUVSA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-M5BI4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-6EG55.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\msvcp140_app.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQml\RemoteObjects\qtqmlremoteobjects.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-Q5FKQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\vcruntime140d.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5Networkd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x64\Application.NDIRecording.x64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_nativedebugger.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-MP0LO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\position\qtposition_serialnmea.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls\qtquickcontrolsplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x64\is-BR8E8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\audio\is-AIP0V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-G5QB1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-CBLA4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\Private\dialogsprivateplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Extras\qtquickextrasplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\PrivateWidgets\widgetsplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-C0GG4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Flat\is-DRGH1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\bin\disk\is-AM3KL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Processing.NDI.Lib.Advanced.x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_quickprofiler.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\bin\disk\libgcc_s_sjlj-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Universal\qtquickcontrols2universalstyleplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\PrivateWidgets\is-4OUCQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-S03US.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Window.2\is-MBHPB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-1NU94.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\is-CKTA5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x64\Application.NDIRecording.x64(new).exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-SGAAU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\vcruntime140_1d.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-VBRD9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQml\is-3ODCM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-M5UK8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_native.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x86\NewTek NDI Discovery Service.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQml\StateMachine\qtqmlstatemachine.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-KVNQ1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	File created: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Fusion\is-K2N1T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick.2\qtquick2plugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls\is-MJI5C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\is-VCRLV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\D3Dcompiler_47.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-RTIAS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-804L0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\Private\is-08QUI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-5LL7O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5Qml.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x86\is-B5JKA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x64\Application.NDIRecording.x64(old).exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQml\qmlplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_debugger.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5WebEngine.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-J7HE7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\audio\qtaudio_windows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_inspector.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\opengl32sw.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Fusion\qtquickcontrols2fusionstyleplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\bearer\is-GKC2P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\qtquickcontrols2plugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\position\qtposition_positionpoll.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-TR3D0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\avdevice-59.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-O26DP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5QmlModels.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5QuickControls2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\Utilities\x64\NewTek NDI Discovery Service.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtGraphicalEffects\qtgraphicaleffectsplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\recorder.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt\labs\settings\qmlsettingsplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\swscale-6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtGraphicalEffects\private\is-VCKO4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-09O1F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-S1GPN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQuick\Layouts\qquicklayoutsplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-OIS8P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtGraphicalEffects\is-053KA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\audio\qtaudio_wasapi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\is-DTL5L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_messages.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\res\bin\disk\is-UKQUM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQml\StateMachine\is-AVBQ8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Qt5Positioning.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\Processing.NDI.Lib.DirectShow.x64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	File created: C:\Program Files (x86)\Recorder System\QtQml\Models.2\modelsplugin.dll (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Recorder System.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WmiApSrv.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory allocated: 20108AD0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory allocated: 20122E20000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6789	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1450	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Window / User API: threadDelayed 5697	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6778
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2236

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_local.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_tcp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\virtualkeyboard\is-N1301.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x86\is-BIPF8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-G8AU8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-4U359.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\styles\is-E91NQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-6C5RI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-5C7MQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\iconengines\is-H1PR9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-9335K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Imagine\qtquickcontrols2imaginestyleplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\position\is-PQ3NI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\playlistformats\is-THCCM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-G3KAI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x64\Record.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\is-CQUNS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-7UJLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\platforms\is-R5K5O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\vcruntime140_app.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\is-4IBFD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\is-KMNA3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\is-N8GIK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-LS77V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-EALVR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\virtualkeyboard\is-S4J4O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\scenegraph\qsgd3d12backend.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-GFNU0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\vc_redist.x64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\virtualkeyboard\is-0HJJO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\scenegraph\is-UI7R7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-CCV2G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\is-T1S7O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Templates.2\is-TIBQQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-20MOV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_server.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtWebEngine\is-MH0HG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-PD6L0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-L3NQ9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_preview.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.sys (copy)
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-5ICT0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\is-CUVSA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-M5BI4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-6EG55.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\position\is-K7O5H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-0L3BH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\msvcp140_app.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQml\RemoteObjects\qtqmlremoteobjects.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-Q5FKQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x64\Application.NDIRecording.x64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\bearer\qgenericbearer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_nativedebugger.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\position\qtposition_serialnmea.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-MP0LO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls\qtquickcontrolsplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\audio\is-AIP0V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x64\is-BR8E8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-G5QB1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\Private\dialogsprivateplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-CBLA4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Extras\qtquickextrasplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-3UTOM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\PrivateWidgets\widgetsplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQml\Models.2\is-PKGVS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\bin\disk\is-AM3KL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Flat\is-DRGH1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\styles\qwindowsvistastyle.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N1VOU.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\virtualkeyboard\is-MP9MT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_quickprofiler.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\playlistformats\qtmultimedia_m3u.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\position\qtposition_winrt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\bin\disk\libgcc_s_sjlj-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Universal\qtquickcontrols2universalstyleplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\PrivateWidgets\is-4OUCQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-SHFJV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Layouts\is-JD84L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-F3CEC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-S03US.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\Qt\labs\folderlistmodel\is-G1MA9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Window.2\is-MBHPB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-1NU94.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\is-CKTA5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-V6SB1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x64\Application.NDIRecording.x64(new).exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-6OI4S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x86\NewTek NDI Record.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-SGAAU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\bin\disk\libstdc++-6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-GPGMO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\bin\disk\is-3SREB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Window.2\windowplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQml\is-3ODCM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-83BH1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-M5UK8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-PN0JG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_native.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-MNRBK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x86\NewTek NDI Discovery Service.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtGraphicalEffects\private\qtgraphicaleffectsprivate.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQml\StateMachine\qtqmlstatemachine.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQml\RemoteObjects\is-6KIDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-KVNQ1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\bin\disk\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-SIQ9G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Flat\qtquickextrasflatplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\is-VKBN9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Fusion\is-K2N1T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick.2\qtquick2plugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\dialogplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x64\is-DFN06.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\virtualkeyboard\is-5FVBS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls\is-MJI5C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\Qt5RemoteObjects.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\bin\disk\is-TU764.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\is-VCRLV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-61F2F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\audio\is-V9O52.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-RTIAS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-804L0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\Private\is-08QUI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-5LL7O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-85FK3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick.2\is-GE8FV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x86\is-B5JKA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x64\Application.NDIRecording.x64(old).exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQml\qmlplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x64\is-8H8RT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Imagine\is-F27G2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_debugger.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Templates.2\qtquicktemplates2plugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-J7HE7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\Qt5SslServer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\audio\qtaudio_windows.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_inspector.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-3GE9B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\position\is-OH7NK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\opengl32sw.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\is-0QFR5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Fusion\qtquickcontrols2fusionstyleplugin.dll (copy)	Jump to dropped file
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\bearer\is-GKC2P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\qtquickcontrols2plugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\position\qtposition_positionpoll.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-TR3D0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\avdevice-59.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\Qt5SerialPort.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-U1B79.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-O26DP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x64\NewTek NDI Discovery Service.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtGraphicalEffects\qtgraphicaleffectsplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-6544C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Universal\is-EFF43.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtWebEngine\qtwebengineplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\recorder.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\is-EADOB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\Qt\labs\settings\qmlsettingsplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Extras\is-EUM4R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\swscale-6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtGraphicalEffects\private\is-VCKO4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\is-LT1NT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x64\is-VGKVT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-09O1F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-T9U84.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\bin\disk\a.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-S1GPN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Layouts\qquicklayoutsplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-OIS8P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\Utilities\x64\is-D9NLO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\audio\qtaudio_wasapi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\qmldbg_profiler.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtGraphicalEffects\is-053KA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\Qt\labs\settings\is-F4125.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-DTL5L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\ClassLibrary2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\is-TRR89.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\res\bin\disk\is-UKQUM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\iconengines\qsvgicon.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQml\StateMachine\is-AVBQ8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Material\is-AJ66B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\qmltooling\is-KV5D3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\crashdump.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\Material\qtquickcontrols2materialstyleplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\QtQml\Models.2\modelsplugin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Recorder System\Processing.NDI.Lib.DirectShow.x64.dll (copy)	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3672	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4944	Thread sleep count: 6778 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4944	Thread sleep count: 2236 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3732	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe

Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File Volume queried: C:\Users\user\AppData\Local\Kiloview\Recorder System\QtWebEngine\Default\blob_storage\84b40db6-5102-449d-9a83-6065507ecf8b FullSizeInformation			Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File Volume queried: C:\Users\user\AppData\Local\Kiloview\Recorder System\cache\QtWebEngine\Default\Cache FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Base	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Base\ButtonStyle.qmlc	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick\Controls	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System	Jump to behavior

Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2716711201.0000000000916000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\G
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2745011340.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ms

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory allocated: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491A90000 protect: page read and write	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory allocated: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AA0000 protect: page no access	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory allocated: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD000 protect: page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory allocated: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AB0000 protect: page read and write	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe

NtCreateFile: Indirect: 0x7FFDEBF815E5

Jump to behavior

Writes to foreign memory regions

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491A90000	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD420	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220DA90	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD460	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D650	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD4A0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D790	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD4E0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220F8A0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD520	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D4D0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD560	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220F5A0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD5A0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D4B0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD5E0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220F4E0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD620	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D190	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD660	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D470	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD6A0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D5F0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD6E0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D5D0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD720	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D4F0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD760	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D530	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD400	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056540	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056690	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056760	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AB0000	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056530	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056750	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056828	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056830	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641055000	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF6410568B0	Jump to behavior

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process created: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe "C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe" --type=renderer --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --use-gl=angle --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,BlinkGenPropertyTrees,MojoVideoCapture,NetworkServiceNotSupported,OriginTrials,SmsReceiver,UsePdfCompositorServiceForPrint,UseSurfaceLayerForVideo,VizDisplayCompositor,WebAuthentication,WebAuthenticationCable,WebPayments,WebUSB --lang=en-CH --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11831953104643474927 --renderer-client-id=3 --mojo-platform-channel-handle=3536 /prefetch:1			Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -file C:/Users/user/AppData/Local/official-recorder/temp/gpu.ps1			Jump to behavior

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process created: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe "c:\program files (x86)\recorder system\qtwebengineprocess.exe" --type=renderer --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --use-gl=angle --enable-features=allowcontentinitiateddataurlnavigations,tracingserviceinprocess --disable-features=backgroundfetch,blinkgenpropertytrees,mojovideocapture,networkservicenotsupported,origintrials,smsreceiver,usepdfcompositorserviceforprint,usesurfacelayerforvideo,vizdisplaycompositor,webauthentication,webauthenticationcable,webpayments,webusb --lang=en-ch --webengine-schemes=qrc:slv --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11831953104643474927 --renderer-client-id=3 --mojo-platform-channel-handle=3536 /prefetch:1
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process created: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe "c:\program files (x86)\recorder system\qtwebengineprocess.exe" --type=renderer --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --use-gl=angle --enable-features=allowcontentinitiateddataurlnavigations,tracingserviceinprocess --disable-features=backgroundfetch,blinkgenpropertytrees,mojovideocapture,networkservicenotsupported,origintrials,smsreceiver,usepdfcompositorserviceforprint,usesurfacelayerforvideo,vizdisplaycompositor,webauthentication,webauthenticationcable,webpayments,webusb --lang=en-ch --webengine-schemes=qrc:slv --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11831953104643474927 --renderer-client-id=3 --mojo-platform-channel-handle=3536 /prefetch:1			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\platforms\qwindows.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\styles\qwindowsvistastyle.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\crashdump.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\iconengines\qsvgicon.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\imageformats\qgif.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\imageformats\qico.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\imageformats\qjpeg.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\imageformats\qtga.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\imageformats\qtiff.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\imageformats\qwbmp.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\recorder.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Users\user\AppData\Local\official-recorder\lang.ini VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Users\user\AppData\Local\official-recorder\lang.ini VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\bearer\qgenericbearer.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\translations\qt_en.qm VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick.2\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick.2\qtquick2plugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Window.2\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Window.2\windowplugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\dialogplugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Controls\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Controls\qtquickcontrolsplugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtGraphicalEffects\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtGraphicalEffects\qtgraphicaleffectsplugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtWebEngine\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtWebEngine\qtwebengineplugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Controls.2\qtquickcontrols2plugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Templates.2\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Templates.2\qtquicktemplates2plugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQml\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQml\qmlplugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Private\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\Private\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\Private\dialogsprivateplugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Layouts\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Layouts\qquicklayoutsplugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\Qt\labs\folderlistmodel\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\Qt\labs\folderlistmodel\qmlfolderlistmodelplugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\Qt\labs\settings\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\Qt\labs\settings\qmlsettingsplugin.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\qml\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Desktop\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\ClassLibrary3.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\qml\icons.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Dialogs\qml\icons.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\ClassLibrary2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Base\images\arrow-down.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Base\images\arrow-down.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\img\icon_sq_d.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\img\icon_sq_d.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\img\min.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\img\min.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\img\normal.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\img\normal.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\img\close.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\img\close.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\img\logo.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\img\logo.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\qml\en_us.qm VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\audio\qtaudio_wasapi.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtGraphicalEffects\private\qmldir VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\QtGraphicalEffects\private\qtgraphicaleffectsprivate.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\img\tempsnip.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\img\tempsnip.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\index.html VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\static\css\app.css VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\static\js\manifest.7212102.js VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\static\js\vendor.7212102.js VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\static\js\app.7212102.js VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Users\user\AppData\Local\Kiloview\Recorder System\QtWebEngine\Default\Local Storage\leveldb\MANIFEST-000001 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\lang\zh.json VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\static\js\3.7212102.js VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\static\js\0.7212102.js VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\lang\en.json VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\static\favicon.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\static\img\icon_auth_countdown.c83bc09.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Program Files (x86)\Recorder System\res\static\favicon.png VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Queries volume information: C:\Users\user\AppData\Local\official-recorder\log_20240426_190955.316.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Windows Service	12 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	211 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSA Secrets	2 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	33 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Recorder_System_v1.10.0048.exe	2%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Recorder System\D3Dcompiler_47.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.sys	5%	ReversingLabs
C:\Program Files (x86)\Recorder System\Processing.NDI.Lib.Advanced.x64.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Processing.NDI.Lib.x64.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5Core.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5Cored.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5Gui.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5Multimedia.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5Network.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5Networkd.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5Positioning.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5Qml.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5QmlModels.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5QmlWorkerScript.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5Quick.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5QuickControls2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5QuickTemplates2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5RemoteObjects.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5SerialPort.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5Svg.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5WebChannel.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5WebEngine.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5WebEngineCore.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5WebSockets.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\Recorder System\Qt5Widgets.dll (copy)	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://go.micro	0%	URL Reputation	safe
http://crl.mic	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://127.0.0.1:65534/static/favicon.png	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/ntp/get.json1	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/index.html?output=1#/homeatch(t)	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/output/get.json?project_id=1E	0%	Avira URL Cloud	safe
https://passwords.google.comContul	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/lang/en.jsontput=1	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/record/get.json?project_id=1er	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/record/get.json?project_id=1s	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/output/get.json?project_id=1	0%	Avira URL Cloud	safe
http://www.kiloview.com/	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/ntp/diff.json	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/performance/getSys.jsonnP	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/storage/getDeviceList.json8	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/=1	0%	Avira URL Cloud	safe
http://www.kiloview.com/Ah0	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/output/get.json?project_id=1KX	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/index.html?output=1#/homet)	0%	Avira URL Cloud	safe
http://www.innosetup.com	0%	Avira URL Cloud	safe
https://www.google.comVyh	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/index.html?output=1534/	0%	Avira URL Cloud	safe
http://www.kiloview.com/0http://www.kiloview.com/0http://www.kiloview.com/0http://www.kiloview.com/	0%	Avira URL Cloud	safe
https://primer.com.Uporaba	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/storage/getAvailable.jsonhtml?output=1	0%	Avira URL Cloud	safe
http://www.kiloview.com/	0%	Virustotal		Browse
http://127.0.0.1:65534/api/ntp/get.json:65534/	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/source/get.json	0%	Avira URL Cloud	safe
https://passwords.google.comConta	0%	Avira URL Cloud	safe
https://www.google.comC	0%	Avira URL Cloud	safe
http://127.0.0.1	0%	Avira URL Cloud	safe
http://www.skygz.com	0%	Avira URL Cloud	safe
http://127.0.0.1	2%	Virustotal		Browse
http://crl.micP	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/index.html?output=1#/homedex.html?output=1	0%	Avira URL Cloud	safe
https://passwords.google.comGoogle-kontoSparade	0%	Avira URL Cloud	safe
http://crl.mic4	0%	Avira URL Cloud	safe
http://www.innosetup.com	2%	Virustotal		Browse
http://127.0.0.1:65534/index.html?output=1calX	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/output/get.json?project_id=1~	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/2	0%	Avira URL Cloud	safe
http://www.skygz.com	0%	Virustotal		Browse
http://127.0.0.1:65534/api/storage/getDeviceList.json	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/ntp/diff.jsonH	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/record/get.json?project_id=1	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/storage/getAvailable.json	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/index.html?output=1G	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/ntp/diff.json8	0%	Avira URL Cloud	safe
https://www.google.comT	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/lang/en.jsontput=1=1	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/K	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/index.html?output=1#/home	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/lang/en.json(	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/storage/getDeviceList.json0I	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/index.html?output=1	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/index.html?output=1#/home)	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/api/performance/getSys.jsonid=1	0%	Avira URL Cloud	safe
http://127.0.0.1:65534/index.html?output=1l	0%	Avira URL Cloud	safe
http://17.0.0.165534/index.html?output=1	0%	Avira URL Cloud	safe
http://www.kiloview.com/aiB	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://support.google.com/chrome/?p=ui_supervised_users&hl=pt-BR	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/api/output/get.json?project_id=1E	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/api/ntp/get.json1	Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/answer/6098869	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/index.html?output=1#/homeatch(t)	Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=vi	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://passwords.google.comContul	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/static/favicon.png	Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=ui_supervised_users&hl=ro	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/lang/en.jsontput=1	Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/api/record/get.json?project_id=1er	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/api/record/get.json?project_id=1s	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/api/output/get.json?project_id=1	Recorder System.exe, 00000008.00000003.3236601604.00000201274F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.kiloview.com/	Recorder_System_v1.10.0048.exe, 00000000.00000000.1783171187.00000000004B7000.00000002.00000001.01000000.00000003.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.2757737505.0000000002306000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786730697.0000000000668000.00000002.00000001.01000000.00000004.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000003.2723283541.0000000002426000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/cloudprint#jobs	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/api/ntp/diff.json	Recorder System.exe, 00000008.00000003.3236601604.00000201274F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/api/performance/getSys.jsonnP	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000006.00000002.2858291908.000001A0819B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/api/storage/getDeviceList.json8	Recorder System.exe, 00000008.00000003.3311842712.00000201285B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://passwords.google.com	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/=1	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kiloview.com/Ah0	Recorder_System_v1.10.0048.exe, 00000000.00000003.2757737505.0000000002306000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/api/output/get.json?project_id=1KX	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/index.html?output=1#/homet)	Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2993437399.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.innosetup.com	Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786143348.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.comVyh	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000006.00000002.2858291908.000001A080001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/index.html?output=1534/	Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2956344021.000001A0F8EB0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2858291908.000001A081312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2858291908.000001A08162A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.kiloview.com/0http://www.kiloview.com/0http://www.kiloview.com/0http://www.kiloview.com/	Recorder_System_v1.10.0048.exe, 00000000.00000003.1783507148.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000003.1787745486.0000000003530000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://primer.com.Uporaba	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000006.00000002.2858291908.000001A08092E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=ui_supervised_users&hl=sv	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=ui_supervised_users&hl=sw	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/api/storage/getAvailable.jsonhtml?output=1	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000006.00000002.2858291908.000001A08162A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:65534/api/ntp/get.json:65534/	Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/api/source/get.json	Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.mic	powershell.exe, 00000006.00000002.2959404528.000001A0F9102000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://passwords.google.comConta	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=ui_supervised_users&hl=pt-PT	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.comC	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=ui_supervised_users&hl=tr	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.skygz.com	Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786143348.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=ui_supervised_users&hl=th	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=ui_supervised_users&hl=te	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.micP	powershell.exe, 00000006.00000002.2959404528.000001A0F9102000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/index.html?output=1#/homedex.html?output=1	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=zh-TW	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://passwords.google.comGoogle-kontoSparade	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=roComanda	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.mic4	powershell.exe, 00000006.00000002.2959404528.000001A0F9102000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=ui_supervised_users&hl=ru	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/index.html?output=1calX	Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000006.00000002.2858291908.000001A08092E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=swUmeondoa	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=ui_supervised_users&hl=sl	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/js-cookie/js-cookie	Recorder System.exe, 00000008.00000003.2796730525.00000201276F1000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2797215811.0000020127841000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2799992939.00000201276FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=ui_supervised_users&hl=sr	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/api/output/get.json?project_id=1~	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=zh-CN	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=trK	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/?p=ui_supervised_users&hl=sk	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/2	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/api/storage/getDeviceList.json	Recorder System.exe, 00000008.00000003.3311842712.00000201285B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://skygz.taobao.com	Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786143348.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false		high
http://127.0.0.1:65534/api/ntp/diff.jsonH	Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:65534/api/record/get.json?project_id=1	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/api/storage/getAvailable.json	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/index.html?output=1G	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=ui_supervised_users&hl=vi	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/api/ntp/diff.json8	Recorder System.exe, 00000008.00000003.3236601604.00000201274F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.comT	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/lang/en.jsontput=1=1	Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:65534/K	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/index.html?output=1#/home	Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/lang/en.json(	Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/api/storage/getDeviceList.json0I	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/index.html?output=1	Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=pt-BRAtalho	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/index.html?output=1#/home)	Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2993437399.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:65534/api/performance/getSys.jsonid=1	Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=ru	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://127.0.0.1:65534/index.html?output=1l	Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=ui_supervised_users&hl=uk	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=te	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://17.0.0.165534/index.html?output=1	Recorder System.exe, 00000008.00000003.3225818355.0000020128239000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3377926199.0000020128200000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3256437375.0000020128239000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3279634870.0000020128200000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3352744268.0000020128200000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.kiloview.com/aiB	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2723283541.0000000002426000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000006.00000002.2858291908.000001A0819B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=skSkratka	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore/category/extensions	Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432274
Start date and time:	2024-04-26 19:06:31 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Recorder_System_v1.10.0048.exe
Detection:	SUS
Classification:	sus36.evad.winEXE@15/2038@0/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 192.229.211.108, 23.204.76.112
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5680 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5684 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:09:12	API Interceptor	479400x Sleep call for process: Recorder System.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://unilever3.demdex.net/firstevent?d_event=click&d_bu=317196&c_medium=display&c_destination=Retailer&c_country=BD&c_campaignname=L-LifebuoyHandsanitizerLaunchComm&c_prodcat=CH1097&c_brandcode=BH0300&d_adgroup=All_KV&c_contenttype=display&c_source=Dhaka%20Tribune&d_rd=https://campaign-statistics.com/link_click/PidJvkyg2S_O4JTm/159dfdb0ade49a7c5597d3c1d9bd3d8a	Get hash	malicious	Unknown	Browse	40.68.123.157 173.222.162.32
	z55NF-Faturada-23042024.msi	Get hash	malicious	MicroClip	Browse	40.68.123.157 173.222.162.32
	Housecallpro Chase Bank ACH.htm	Get hash	malicious	Unknown	Browse	40.68.123.157 173.222.162.32
	https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MTAxOTIyLCJtZXNzYWdlX2lkIjoiMGd4d3poYXc3czloeGZoZWNuNjNuYnFwIzg0YjRlN2VjLTdhZjUtNDU5Yi1hNTYxLWE1ZmVlMTE3NTllNiIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjM3OTIyLCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtbWVzc2FuZ2VyLnJkb2NtZ2xvYmFsLmNvbS9kb2NzL2luZGV4LnBocD9tYWlsPSUyMGphbWVzLmZheUBjb3VudHluYXRpb25hbGJhbmsuY29tJnBhdGhzPWFib3ZlJmxpbms9RmF4X091dGxvb2siLCJpbmRpdmlkdWFsX2lkIjoiNDA4YWI4OGRlY2JmNDFjMjRhYTZhMDRlOWU1OWMzZDAifQ.i-tkK1Lnys-MM487ot1MrSYQb6ExLgZNRQbgsH8B2K0	Get hash	malicious	Captcha Phish	Browse	40.68.123.157 173.222.162.32
	http://relevanteduofficelogin.relevantedu.xyz	Get hash	malicious	HTMLPhisher	Browse	40.68.123.157 173.222.162.32
	Settlement DOL 08262024 - Victoria Brignon - Reference #27224675-2722934.html	Get hash	malicious	HTMLPhisher	Browse	40.68.123.157 173.222.162.32
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	40.68.123.157 173.222.162.32
	https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe	Get hash	malicious	Unknown	Browse	40.68.123.157 173.222.162.32
	https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MTM3MzAwLCJtZXNzYWdlX2lkIjoiMGd5MGJnNjBqOTJwcmNuZjhhNHNxYWpwIzZjY2RmYjMyLWJiNzgtNGQwNC1hYWYwLTg3MjdkMTg4MjZlMyIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjczMzAwLCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtbWVzc2FuZ2VyLnJkb2NtZ2xvYmFsLmNvbS9kb2NzL2luZGV4LnBocD9tYWlsPSUyMGhiYXJ0aGxvd0BzZWN1cnVzdGVjaG5vbG9naWVzLmNvbSZwYXRocz1hYm92ZSZsaW5rPUZheF9PdXRsb29rIiwiaW5kaXZpZHVhbF9pZCI6IjQ0NDY4NzI5YzA1N2Q5ZDJjYzNiYjZlOTc3NDg3MzUyIn0.AryFGbNWOut6hGg1x_WBQ4QL5QU_wggDk6q2PUj7rNI	Get hash	malicious	Captcha Phish	Browse	40.68.123.157 173.222.162.32
	https://srmcorp.tecuidoc.com/?PSZlk=ViP	Get hash	malicious	HTMLPhisher	Browse	40.68.123.157 173.222.162.32

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Recorder System\D3Dcompiler_47.dll (copy)	SecuriteInfo.com.Win64.Malware-gen.18747.19997.exe	Get hash	malicious	Unknown	Browse
	MultiCheat.exe	Get hash	malicious	Unknown	Browse
	ZLT_RO_2023-11-06_11_49_43.942.zip	Get hash	malicious	Unknown	Browse
	OpenAI Windows ChatGPT Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	AutoForge.exe	Get hash	malicious	Unknown	Browse
	ChampCup.exe	Get hash	malicious	Unknown	Browse
	update.exe	Get hash	malicious	Unknown	Browse
	https://zoomcloudcomputing.tech/index.php?uid=9871d3a2c554b27151cacf1422eec048	Get hash	malicious	Unknown	Browse
	installer5.222.msi	Get hash	malicious	Unknown	Browse
	https://github.com/ankitects/anki/releases/download/2.1.49/anki-2.1.49-windows.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.sys	gq83mrprwy.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win64.TrojanX-gen.22735.27744.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win32.PWSX-gen.900.19500.exe	Get hash	malicious	RedLine, Xmrig	Browse
	nissrv.exe	Get hash	malicious	Xmrig	Browse
	nissrv.exe	Get hash	malicious	Xmrig	Browse
	Wave32bit.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Marsilia.120335.22241.7512.exe	Get hash	malicious	Moneroocean Miner, Xmrig	Browse
	nissrv.exe	Get hash	malicious	Xmrig	Browse
	DeltaX.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win32.PWSX-gen.22336.13850.exe	Get hash	malicious	Vidar	Browse

Process:	C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.9457537751904987
Encrypted:	false
SSDEEP:	48:6hcuEZngMWMxMSMUo7Ufq1UGi7NMsU9BpRydbU+Os3UjUDUKd1trWOFlGOY3O9gV:EEgTMySM3semmBpReblO0AUESYz3yI
MD5:	6CBD39E6A6620A142BB5B43A8435211B
SHA1:	F1DC1325977913B0850B8C74F7BBF991AF6C4D18
SHA-256:	975B8F8FA13CA45D2D82ED7EF0B87D56479C85CC155C6E0AA3703CD0CBFB5995
SHA-512:	A5175B47141A9D0AE6F25F6EC503D96ACC966AF099121DA24956CBC11AB34B57C6F2E0F8D43C228B4F6486A53EABDD2F89E8EC516FD62AC72B886A0453B38A5E
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A:..........." ..0.............&... ...@....... ....................................`..................................)..O....@.......................`......,)..8............................................ ............... ..H............text...,.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.......................H.......d!..............................................................2.{....o....J.s....}.....(......(.....s....%.o....}.....{....o........0.........."........{....o.......+a...%o....o.........+@.........o.....3)..o........(....,....o........(....X...X....X.......i2...X....i2...1...k[".......0...........{....o......&.....................BSJB............v4.0.30319......l.......#~......h...#Strings....d.......#US.h.......#GUID...x...P...#Blob...........W..........3....

Process:	C:\Program Files (x86)\Recorder System\Recorder System.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: gq83mrprwy.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.TrojanX-gen.22735.27744.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-gen.900.19500.exe, Detection: malicious, Browse Filename: nissrv.exe, Detection: malicious, Browse Filename: nissrv.exe, Detection: malicious, Browse Filename: Wave32bit.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Marsilia.120335.22241.7512.exe, Detection: malicious, Browse Filename: nissrv.exe, Detection: malicious, Browse Filename: DeltaX.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-gen.22336.13850.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x8ef3df77, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221123797147024
Encrypted:	false
SSDEEP:
MD5:	0A303D018D768524F0334E43BABBB148
SHA1:	97C16836940EC586886CFA0700E12F8278A480B4
SHA-256:	4A53DCEDC6717D247E658513B8BE3C0E585788F567E5A8079BD6316749155F75
SHA-512:	0A5CD012DC8A961CEBAE3F7599B7E9673A0D83A58AF31ED6035C8F07FA38D64CA73F4F274E2563A3B69C70AFA6C5244B2A8B0532C5BEED111E8AA08E5945828E
Malicious:	false
Preview:	...w... .......A.......X\...;...{......................0.!..........{A......\|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................G.4......\|...................0'......\|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

Process:	C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2528768
Entropy (8bit):	6.411498897188459
Encrypted:	false
SSDEEP:
MD5:	1F06960E3F2EEB78A46C85642496CA37
SHA1:	D56E271D37245DABF1C4ACA0EC506125E3DA44EF
SHA-256:	7836D4E9E20CC741779E1C96CDEF50A7DA04A02AFC88C7BE02C3F55B4A0CC2A9
SHA-512:	E75B30195F7039D7FC6DA7A71A1D3F3C6D5D7FB9B0EC40EA680A8694E2952AD7E594CF64A5BA6A8DCF3BCC0FF1D4CE16136601AA6ADF63DFD88FB58F95AC9B18
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...J.m^..................%..........$%......0%...@...........................'.....\|C'...@......@...................`&.......&.n6....&.......................................................&.....................`.&.\....P&......................text...H.$.......$................. ..`.itext...&....%..(....$............. ..`.data...x[...0%..\....%.............@....bss.....u....%..........................idata..n6....&..8...n%.............@....didata......P&.......%.............@....edata.......`&.......%.............@..@.tls....D....p&..........................rdata..].....&.......%.............@..@.rsrc.........&.......%.............@..@..............'.......&.............@..@........................................................

Entrypoint:	0x4a6ed0
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5E6DCA49 [Sun Mar 15 06:25:13 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	eb5bc6ff6263b364dfbfb78bdb48ed59

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	23/03/2022 00:00:00 22/03/2024 23:59:59
Subject Chain	CN="Changsha KILOVIEW Electronics Co., Ltd.", O="Changsha KILOVIEW Electronics Co., Ltd.", S=\u6e56\u5357\u7701, C=CN, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=9143011157223315X8
Version:	3
Thumbprint MD5:	A3B5903FE8234EA1F1EDA0F3DDD02CAF
Thumbprint SHA-1:	04DC5A471D69A345A270D8DFAC858E33628055BB
Thumbprint SHA-256:	76AF795CDFF959A95543A8A2BFD2F2A2E3513761491423571358C48682B76DC7
Serial:	2E62C549549CB1C19DF8F2F54D1778FD

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb5000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3000	0xf1c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0x4457	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x6270e98	0x5320
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb7000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb32e0	0x240	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb4000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa4648	0xa4800	1a78016a5136b8098f54ef92faf02de1	False	0.35704490406534956	data	6.390266365913077	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa6000	0x1668	0x1800	1ab5e113081ff3bc2c77d98988bb4f99	False	0.5402018229166666	data	5.904124295136662	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa8000	0x37a4	0x3800	8b8178989eeee1a9d5355e5356d65fae	False	0.36070033482142855	data	5.04703869331919	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xac000	0x6778	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb3000	0xf1c	0x1000	39e34066552cd253ea6ec8192cf02aef	False	0.366455078125	data	4.879899770580934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb4000	0x1a4	0x200	d0c7bef5217588db089445b43a213d23	False	0.345703125	data	2.712872162409855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb5000	0x9a	0x200	f28db148edcfcddd3dfeb061dc470dee	False	0.2578125	data	1.8895623989294017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb6000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb7000	0x5d	0x200	185642fa268bab79fb1c35168c4a8b2a	False	0.189453125	data	1.3824199855691357	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0x4457	0x4600	4d3328693bfb385f15037b954537e8f4	False	0.31947544642857145	data	4.38079784997622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xb84c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0xb85f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0xb8b58	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0xb8e40	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0xb96e8	0x360	data			0.34375
RT_STRING	0xb9a48	0x260	data			0.3256578947368421
RT_STRING	0xb9ca8	0x45c	data			0.4068100358422939
RT_STRING	0xba104	0x40c	data			0.3754826254826255
RT_STRING	0xba510	0x2d4	data			0.39226519337016574
RT_STRING	0xba7e4	0xb8	data			0.6467391304347826
RT_STRING	0xba89c	0x9c	data			0.6410256410256411
RT_STRING	0xba938	0x374	data			0.4230769230769231
RT_STRING	0xbacac	0x398	data			0.3358695652173913
RT_STRING	0xbb044	0x368	data			0.3795871559633027
RT_STRING	0xbb3ac	0x2a4	data			0.4275147928994083
RT_RCDATA	0xbb650	0x10	data			1.5
RT_RCDATA	0xbb660	0x2c4	data			0.6384180790960452
RT_RCDATA	0xbb924	0x2c	data			1.25
RT_GROUP_ICON	0xbb950	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0xbb990	0x518	data	English	United States	0.2937116564417178
RT_MANIFEST	0xbbea8	0x5af	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4268041237113402

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4539d4
__dbk_fcall_wrapper	2	0x40d3dc
dbkFCallWrapperAddr	1	0x4af63c

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 19:07:21.832207918 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:07:31.441550970 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:07:44.424856901 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:44.424946070 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:44.425081968 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:44.429723978 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:44.429759026 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:45.154881001 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:45.158693075 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:45.907430887 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:45.907494068 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:45.908541918 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:45.957221031 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:46.752588987 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:46.796139002 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:46.800215006 CEST	49723	80	192.168.2.4	23.56.6.162
Apr 26, 2024 19:07:46.926512003 CEST	80	49723	23.56.6.162	192.168.2.4
Apr 26, 2024 19:07:46.926592112 CEST	49723	80	192.168.2.4	23.56.6.162
Apr 26, 2024 19:07:47.217243910 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:47.217273951 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:47.217283010 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:47.217309952 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:47.217324018 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:47.217334032 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:47.217349052 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:47.217421055 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:47.217453003 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:47.217495918 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:47.217497110 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:47.217497110 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:47.217526913 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:47.217547894 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:47.217607021 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:47.233943939 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:47.233983994 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:07:47.234009981 CEST	49733	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:07:47.234025002 CEST	443	49733	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:10.035625935 CEST	49731	80	192.168.2.4	172.64.149.23
Apr 26, 2024 19:08:10.035717010 CEST	49732	80	192.168.2.4	172.64.149.23
Apr 26, 2024 19:08:10.035804987 CEST	49730	80	192.168.2.4	104.18.38.233
Apr 26, 2024 19:08:10.162051916 CEST	80	49730	104.18.38.233	192.168.2.4
Apr 26, 2024 19:08:10.162117004 CEST	80	49731	172.64.149.23	192.168.2.4
Apr 26, 2024 19:08:10.162121058 CEST	49730	80	192.168.2.4	104.18.38.233
Apr 26, 2024 19:08:10.162167072 CEST	49731	80	192.168.2.4	172.64.149.23
Apr 26, 2024 19:08:10.162591934 CEST	80	49732	172.64.149.23	192.168.2.4
Apr 26, 2024 19:08:10.162657976 CEST	49732	80	192.168.2.4	172.64.149.23
Apr 26, 2024 19:08:29.708936930 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:29.708976030 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:29.709069967 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:29.709517956 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:29.709528923 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:30.434993029 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:30.435074091 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:30.441370010 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:30.441387892 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:30.441761017 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:30.451488972 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:30.496125937 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:31.136826038 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:31.136884928 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:31.136929035 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:31.136981964 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:31.136981964 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:31.136997938 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:31.137056112 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:31.137135983 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:31.137171984 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:31.137206078 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:31.137211084 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:31.137257099 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:31.137262106 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:31.137351990 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:31.137394905 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:31.141176939 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:31.141191006 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:31.141201019 CEST	49738	443	192.168.2.4	40.68.123.157
Apr 26, 2024 19:08:31.141206026 CEST	443	49738	40.68.123.157	192.168.2.4
Apr 26, 2024 19:08:33.247051001 CEST	49724	80	192.168.2.4	23.55.103.43
Apr 26, 2024 19:08:33.444545984 CEST	80	49724	23.55.103.43	192.168.2.4
Apr 26, 2024 19:08:33.444617987 CEST	49724	80	192.168.2.4	23.55.103.43
Apr 26, 2024 19:09:11.066312075 CEST	49672	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:11.068125010 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:11.068161964 CEST	443	49742	173.222.162.32	192.168.2.4
Apr 26, 2024 19:09:11.068988085 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:11.071650028 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:11.071661949 CEST	443	49742	173.222.162.32	192.168.2.4
Apr 26, 2024 19:09:11.488744974 CEST	49672	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:11.542857885 CEST	443	49742	173.222.162.32	192.168.2.4
Apr 26, 2024 19:09:11.542942047 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:11.731538057 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:11.731556892 CEST	443	49742	173.222.162.32	192.168.2.4
Apr 26, 2024 19:09:11.733347893 CEST	443	49742	173.222.162.32	192.168.2.4
Apr 26, 2024 19:09:11.733402967 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:11.735742092 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:11.735776901 CEST	443	49742	173.222.162.32	192.168.2.4
Apr 26, 2024 19:09:11.757895947 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:11.757903099 CEST	443	49742	173.222.162.32	192.168.2.4
Apr 26, 2024 19:09:12.098115921 CEST	49672	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:12.193036079 CEST	443	49742	173.222.162.32	192.168.2.4
Apr 26, 2024 19:09:12.193224907 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:12.193240881 CEST	443	49742	173.222.162.32	192.168.2.4
Apr 26, 2024 19:09:12.193286896 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:12.193763018 CEST	443	49742	173.222.162.32	192.168.2.4
Apr 26, 2024 19:09:12.193835974 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:12.195417881 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:12.195431948 CEST	443	49742	173.222.162.32	192.168.2.4
Apr 26, 2024 19:09:12.195440054 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:12.195472002 CEST	49742	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:13.499368906 CEST	49672	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:15.900351048 CEST	49672	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:20.708375931 CEST	49672	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:09:30.380697966 CEST	49672	443	192.168.2.4	173.222.162.32

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 19:07:43.887715101 CEST	138	138	192.168.2.4	192.168.2.255
Apr 26, 2024 19:09:13.721811056 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 19:09:14.477425098 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 19:09:15.234523058 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 19:09:22.723412037 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 19:09:23.473459005 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 19:09:24.231563091 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 19:09:54.964709997 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 19:09:55.723539114 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 19:09:56.485423088 CEST	137	137	192.168.2.4	192.168.2.255

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 26, 2024 19:09:07.235753059 CEST	192.168.2.4	192.168.2.1	aa44		Echo
Apr 26, 2024 19:09:07.235805988 CEST	192.168.2.1	192.168.2.4	b244		Echo Reply

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:07:46 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=65Oa4kKcCE2B2pL&MD=WhAthezU HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-26 17:07:47 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 0b1626a4-5bff-447e-a4ab-0a074d05d264 MS-RequestId: 205b6c16-d560-499e-ab30-0d5ed24929ec MS-CV: dC2JvQJqA0aHfEic.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 26 Apr 2024 17:07:46 GMT Connection: close Content-Length: 24490
2024-04-26 17:07:47 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-26 17:07:47 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:08:30 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=65Oa4kKcCE2B2pL&MD=WhAthezU HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-26 17:08:31 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 1238ac40-e126-4062-a420-2f96aa3a1c17 MS-RequestId: 5a321ce4-dece-45b1-9df0-c78a237f5292 MS-CV: iFRWen57f0CRnr37.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 26 Apr 2024 17:08:30 GMT Connection: close Content-Length: 25457
2024-04-26 17:08:31 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-26 17:08:31 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:09:11 UTC	2301	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A4109000CC6 X-BM-CBT: 1696420817 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 60 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: 0912CF9094994CFA88DE52C6FB19D4E1 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A4109000CC6 X-MSEdge-ExternalExp: bfbwsbrs0830tf,d-thshldspcl40,msbdsborgv2co,msbwdsbi920t1,spofglclicksh-c2,webtophit0r_t,wsbmsaqfuxtc,wsbqfasmsall_t,wsbqfminiserp400,wsbref-t X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2237 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=6666694284484FA1B35CCB433D42E997; _SS=SID=193A581F83766B4319784BBF829B6A16&CPID=1696420820117&AC=1&CPH=e5c79613&CBV=39942242; _EDGE_S=SID=193A581F83766B4319784BBF829B6A16; SRCHUID=V=2&GUID=BA43D82178364AEA9C1EE6C32BE93416&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231003; SRCHHPGUSR=SRCHLANG=en&LUT=1696420817741&IPMH=425591ef&IPMID=1696420817913&HV=1696417346; ANON=A=6D8F9DF00282E660E425530EFFFFFFFF; CortanaAppUID=4C9C2B2D0465FD7A42C74C7E93CFB630; MUIDB=6666694284484FA1B35CCB433D42E997
2024-04-26 17:09:11 UTC	2237	OUT	Data Raw: 3c 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 36 36 36 36 36 39 34 32 38 34 34 38 34 46 41 31 42 33 35 43 43 42 34 33 33 44 34 32 45 39 39 37 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 38 39 32 46 41 30 37 38 38 36 34 31 34 42 44 46 38 45 45 31 37 36 34 41 35 39 46 46 33 39 43 36 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 Data Ascii: <ClientInstRequest><CID>6666694284484FA1B35CCB433D42E997</CID><Events><E><T>Event.ClientInst</T><IG>892FA07886414BDF8EE1764A59FF39C6</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"C
2024-04-26 17:09:12 UTC	479	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 1214D60A562043258584358630ADB83E Ref B: LAX311000110019 Ref C: 2024-04-26T17:09:12Z Date: Fri, 26 Apr 2024 17:09:12 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.20a6dc17.1714151351.7a40502

Target ID:	0
Start time:	19:07:32
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe"
Imagebase:	0x400000
File size:	103'244'216 bytes
MD5 hash:	A9042018E74F1FC91EBFC730A295C9B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	19:07:33
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp" /SL5="$402A6,102473945,718848,C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe"
Imagebase:	0x400000
File size:	2'528'768 bytes
MD5 hash:	1F06960E3F2EEB78A46C85642496CA37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Recorder_System_v1.10.0048.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Recorder System\ClassLibrary2.dll (copy)

C:\Program Files (x86)\Recorder System\ClassLibrary3.dll (copy)

C:\Program Files (x86)\Recorder System\D3Dcompiler_47.dll (copy)

C:\Program Files (x86)\Recorder System\NDI_Recorder.exe.recipe (copy)

C:\Program Files (x86)\Recorder System\NDI_Recorder.log (copy)

C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.dll (copy)

C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.sys

C:\Program Files (x86)\Recorder System\Processing.NDI.Lib.Advanced.x64.dll (copy)

C:\Program Files (x86)\Recorder System\Processing.NDI.Lib.DirectShow.x64.dll (copy)

C:\Program Files (x86)\Recorder System\Processing.NDI.Lib.x64.dll (copy)

C:\Program Files (x86)\Recorder System\Qt5Core.dll (copy)

C:\Program Files (x86)\Recorder System\Qt5Cored.dll (copy)

C:\Program Files (x86)\Recorder System\Qt5Gui.dll (copy)

C:\Program Files (x86)\Recorder System\Qt5HttpServer.dll (copy)

C:\Program Files (x86)\Recorder System\Qt5Multimedia.dll (copy)

C:\Program Files (x86)\Recorder System\Qt5Network.dll (copy)

C:\Program Files (x86)\Recorder System\Qt5Networkd.dll (copy)

C:\Program Files (x86)\Recorder System\Qt5Positioning.dll (copy)

C:\Program Files (x86)\Recorder System\Qt5Qml.dll (copy)

Windows Analysis Report
Recorder_System_v1.10.0048.exe

Target ID:	6
Start time:	19:09:04
Start date:	26/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" Set-Executionpolicy remotesigned -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	19:09:05
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	19:09:07
Start date:	26/04/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	12
Start time:	19:09:39
Start date:	26/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -file C:/Users/user/AppData/Local/official-recorder/temp/gpu.ps1
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	19:09:45
Start date:	26/04/2024
Path:	C:\Windows\System32\wbem\WmiApSrv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\WmiApSrv.exe
Imagebase:	0x7ff6f8530000
File size:	209'920 bytes
MD5 hash:	9A48D32D7DBA794A40BF030DA500603B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre