Windows Analysis Report
tOniaJ21lj.exe

Overview

General Information

Sample name: tOniaJ21lj.exe
renamed because original name is a hash value
Original sample name: fa367a7d44377d2c3f684c3912fec827.exe
Analysis ID: 1455403
MD5: fa367a7d44377d2c3f684c3912fec827
SHA1: cb9e24a00431a7cccecf333b5d4ec34785389191
SHA256: 7256e9f673b78c62aae25f78902c393d758262202e8ab4e4b4f1d5d01cd4cd12
Tags: exeSocks5Systemz
Infos:

Detection

Socks5Systemz
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: tOniaJ21lj.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmp Avira: detection malicious, Label: ADWARE/AVI.ICLoader.jwrbl
Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe Avira: detection malicious, Label: HEUR/AGEN.1314993
Found malware configuration
Source: recordpadsoundrecorder32.exe.1412.4.memstrmin Malware Configuration Extractor: Socks5Systemz {"C2 list": ["aaxeeeo.ru"]}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmp ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy) ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: tOniaJ21lj.exe ReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmp Joe Sandbox ML: detected
Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0045B864 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion, 1_2_0045B864
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0045B918 ArcFourCrypt, 1_2_0045B918
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0045B930 ArcFourCrypt, 1_2_0045B930
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_10001000 ISCryptGetVersion, 1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_10001130 ArcFourCrypt, 1_2_10001130
Source: is-UTKLG.tmp.1.dr Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_195b4133-0

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Unpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Unpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack
Uses 32bit PE files
Source: tOniaJ21lj.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Binary string: msvcp120.amd64.pdb source: is-FR4FM.tmp.1.dr
Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: is-K3HBS.tmp.1.dr
Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-8ECK7.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: is-RV2D1.tmp.1.dr
Source: Binary string: msvcr120.amd64.pdb source: is-C4R5U.tmp.1.dr
Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: is-EAHN0.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: is-RV2D1.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-KI2RB.tmp.1.dr
Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb source: is-JNDNQ.tmp.1.dr
Source: Binary string: C:\msys64\home\--\src\openh264-2.0.0_x64\openh264.pdb source: is-PRP4U.tmp.1.dr
Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb## source: is-JNDNQ.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: is-KU10K.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: is-0C056.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb33 source: is-0C056.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: is-KU10K.tmp.1.dr
Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-8ECK7.tmp.1.dr
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0047A964 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_0047A964
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00470C84 FindFirstFileA,FindNextFileA,FindClose, 1_2_00470C84
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00451668 FindFirstFileA,GetLastError, 1_2_00451668
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00460594 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00460594
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00492760 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_00492760
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0047884C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_0047884C
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00460A10 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00460A10
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0045F008 FindFirstFileA,FindNextFileA,FindClose, 1_2_0045F008
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File opened: C:\Users\user\AppData Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52618 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52621 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52623 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52624 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52625 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52626 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52627 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52628 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52629 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52630 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52631 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52632 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52633 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52634 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52635 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52636 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52637 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52638 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52639 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52640 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52641 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52642 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52643 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52644 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52645 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52646 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52647 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52648 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52649 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52650 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52651 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52652 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52653 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52654 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52655 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52656 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52657 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52658 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52659 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52660 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52661 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52662 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52663 -> 94.156.8.14:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: aaxeeeo.ru
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:52619 -> 194.59.31.219:2023
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 94.156.8.14 94.156.8.14
Source: Joe Sandbox View IP Address: 194.59.31.219 194.59.31.219
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NET1-ASBG NET1-ASBG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e8929d3d HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown UDP traffic detected without corresponding DNS query: 152.89.198.214
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_026072A7 Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free, 4_2_026072A7
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e8929d3d HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic DNS traffic detected: DNS query: aaxeeeo.ru
Source: recordpadsoundrecorder32.exe, 00000004.00000002.3269409364.0000000000969000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3270365274.0000000003351000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://94.156.8.14/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f8
Source: recordpadsoundrecorder32.exe, 00000004.00000002.3269409364.000000000095F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://94.156.8.14/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d
Source: is-UCHQL.tmp.1.dr String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: is-UCHQL.tmp.1.dr String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: is-UCHQL.tmp.1.dr String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: is-UCHQL.tmp.1.dr String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: is-UCHQL.tmp.1.dr String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: is-VDBC5.tmp.1.dr String found in binary or memory: http://lame.sf.net
Source: is-VDBC5.tmp.1.dr String found in binary or memory: http://lame.sf.net32bits64bits
Source: is-VDBC5.tmp.1.dr String found in binary or memory: http://lame.sf.netB
Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: is-UCHQL.tmp.1.dr String found in binary or memory: http://ocsps.ssl.com0
Source: is-UCHQL.tmp.1.dr String found in binary or memory: http://ocsps.ssl.com0?
Source: is-UCHQL.tmp.1.dr String found in binary or memory: http://ocsps.ssl.com0Q
Source: is-KI2RB.tmp.1.dr String found in binary or memory: http://qt-project.org/xml/features/report-start-end-entity
Source: is-KI2RB.tmp.1.dr String found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharData
Source: is-8ECK7.tmp.1.dr String found in binary or memory: http://qtav.org2
Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.dr String found in binary or memory: http://t2.symcb.com0
Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.dr String found in binary or memory: http://tl.symcd.com0&
Source: is-KI2RB.tmp.1.dr String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
Source: is-KI2RB.tmp.1.dr String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: tOniaJ21lj.tmp, tOniaJ21lj.tmp, 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tOniaJ21lj.tmp.0.dr, is-O2PKH.tmp.1.dr String found in binary or memory: http://www.innosetup.com/
Source: tOniaJ21lj.exe, 00000000.00000003.2017542262.0000000002091000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000002.3269480886.0000000002091000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000003.2017464437.0000000002310000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000003.2022441507.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000002.3269794199.0000000002328000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000003.2019413603.0000000002328000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000003.2019304134.0000000003280000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000002.3269392528.00000000006AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.mpegla.com
Source: tOniaJ21lj.exe, 00000000.00000003.2018211873.0000000002098000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000003.2017811455.0000000002310000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, tOniaJ21lj.tmp, 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tOniaJ21lj.tmp.0.dr, is-O2PKH.tmp.1.dr String found in binary or memory: http://www.remobjects.com/ps
Source: tOniaJ21lj.exe, 00000000.00000003.2018211873.0000000002098000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000003.2017811455.0000000002310000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tOniaJ21lj.tmp.0.dr, is-O2PKH.tmp.1.dr String found in binary or memory: http://www.remobjects.com/psU
Source: is-UCHQL.tmp.1.dr String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: is-KI2RB.tmp.1.dr String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: is-KI2RB.tmp.1.dr String found in binary or memory: http://xml.org/sax/features/namespaces
Source: is-KI2RB.tmp.1.dr String found in binary or memory: http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech
Source: is-UTKLG.tmp.1.dr String found in binary or memory: https://curl.haxx.se/V
Source: is-UTKLG.tmp.1.dr String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: is-UTKLG.tmp.1.dr String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.dr String found in binary or memory: https://sectigo.com/CPS0
Source: is-UCHQL.tmp.1.dr String found in binary or memory: https://www.ssl.com/repository0
Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.dr String found in binary or memory: https://www.thawte.com/repository0W
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0042EEF4 NtdllDefWindowProc_A, 1_2_0042EEF4
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00423AF4 NtdllDefWindowProc_A, 1_2_00423AF4
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00412548 NtdllDefWindowProc_A, 1_2_00412548
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00455800 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 1_2_00455800
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00473F28 NtdllDefWindowProc_A, 1_2_00473F28
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0042E6DC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 1_2_0042E6DC
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_0040936C
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00453FD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_00453FD0
Detected potential crypto function
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_00408330 0_2_00408330
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0046C5C4 1_2_0046C5C4
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00434CFC 1_2_00434CFC
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0047B5CE 1_2_0047B5CE
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00463B8C 1_2_00463B8C
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004822A0 1_2_004822A0
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00488444 1_2_00488444
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004444A4 1_2_004444A4
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0045C87C 1_2_0045C87C
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004308A0 1_2_004308A0
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00444B9C 1_2_00444B9C
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00444FA8 1_2_00444FA8
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004813C8 1_2_004813C8
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0043D784 1_2_0043D784
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00459850 1_2_00459850
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00465BDC 1_2_00465BDC
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0042FD30 1_2_0042FD30
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00443EFC 1_2_00443EFC
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00433FF8 1_2_00433FF8
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 3_2_00401051 3_2_00401051
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 3_2_00401C26 3_2_00401C26
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 3_2_00406C87 3_2_00406C87
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00401051 4_2_00401051
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00401C26 4_2_00401C26
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00406C87 4_2_00406C87
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_0260F028 4_2_0260F028
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_0261E1FD 4_2_0261E1FD
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_02622E24 4_2_02622E24
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_0261E615 4_2_0261E615
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_02619EF4 4_2_02619EF4
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_02624E99 4_2_02624E99
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_02625410 4_2_02625410
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_0261ACAA 4_2_0261ACAA
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_026184B2 4_2_026184B2
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_0261DD09 4_2_0261DD09
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy) 7623B596CFD989413FEA2FE355607B029EF8E64067275CBF81863688128738B0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: String function: 026253A0 appears 137 times
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: String function: 02618B50 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 00405964 appears 103 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 00406A2C appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 0045618C appears 68 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 00403400 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 00455F80 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 00451F4C appears 88 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 0040785C appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 00408B74 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 00445808 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 00445AD8 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 00403684 appears 211 times
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: String function: 00433F10 appears 32 times
PE file contains executable resources (Code or Archives)
Source: tOniaJ21lj.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: tOniaJ21lj.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: tOniaJ21lj.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: tOniaJ21lj.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tOniaJ21lj.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: tOniaJ21lj.tmp.0.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-O2PKH.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-O2PKH.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-O2PKH.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-O2PKH.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-O2PKH.tmp.1.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-VDBC5.tmp.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: tOniaJ21lj.exe, 00000000.00000003.2018211873.0000000002098000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs tOniaJ21lj.exe
Source: tOniaJ21lj.exe, 00000000.00000003.2017811455.0000000002310000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs tOniaJ21lj.exe
Uses 32bit PE files
Source: tOniaJ21lj.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: recordpadsoundrecorder32.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: is-UCHQL.tmp.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: _RegDLL.tmp.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: UID Finder 6.11.66.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/49@1/2
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_02610870 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError, 4_2_02610870
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_0040936C
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00453FD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_00453FD0
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004547F8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA, 1_2_004547F8
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateServiceA, 3_2_00402588
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateServiceA, 4_2_0040D117
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_00409AD0 FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_00409AD0
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 3_2_00402299 StartServiceCtrlDispatcherA, 3_2_00402299
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 3_2_00402299 StartServiceCtrlDispatcherA, 3_2_00402299
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00402299 StartServiceCtrlDispatcherA, 4_2_00402299
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder Jump to behavior
Source: C:\Users\user\Desktop\tOniaJ21lj.exe File created: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp Jump to behavior
Source: Yara match File source: 3.0.recordpadsoundrecorder32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.recordpadsoundrecorder32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.2036104577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2033651879.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-OIVVM.tmp, type: DROPPED
Source: Yara match File source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe, type: DROPPED
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: tOniaJ21lj.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\tOniaJ21lj.exe File read: C:\Users\user\Desktop\tOniaJ21lj.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\tOniaJ21lj.exe "C:\Users\user\Desktop\tOniaJ21lj.exe"
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Process created: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp "C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp" /SL5="$10474,4719378,54272,C:\Users\user\Desktop\tOniaJ21lj.exe"
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Process created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Process created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Process created: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp "C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp" /SL5="$10474,4719378,54272,C:\Users\user\Desktop\tOniaJ21lj.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Process created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Process created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s Jump to behavior
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: tOniaJ21lj.exe Static file information: File size 4969628 > 1048576
Source: Binary string: msvcp120.amd64.pdb source: is-FR4FM.tmp.1.dr
Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: is-K3HBS.tmp.1.dr
Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-8ECK7.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: is-RV2D1.tmp.1.dr
Source: Binary string: msvcr120.amd64.pdb source: is-C4R5U.tmp.1.dr
Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: is-EAHN0.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: is-RV2D1.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-KI2RB.tmp.1.dr
Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb source: is-JNDNQ.tmp.1.dr
Source: Binary string: C:\msys64\home\--\src\openh264-2.0.0_x64\openh264.pdb source: is-PRP4U.tmp.1.dr
Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb## source: is-JNDNQ.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: is-KU10K.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: is-0C056.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb33 source: is-0C056.tmp.1.dr
Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: is-KU10K.tmp.1.dr
Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-8ECK7.tmp.1.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Unpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack .text:ER;.bhead8:R;.data:W;.rsrc:R;.chead8:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Unpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack .text:ER;.bhead8:R;.data:W;.rsrc:R;.chead8:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Unpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Unpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00447F60 LoadLibraryExA,LoadLibraryA,GetProcAddress, 1_2_00447F60
PE file contains sections with non-standard names
Source: recordpadsoundrecorder32.exe.1.dr Static PE information: section name: .bhead8
Source: recordpadsoundrecorder32.exe.1.dr Static PE information: section name: .chead8
Source: is-UCHQL.tmp.1.dr Static PE information: section name: .vcp1208
Source: is-K3HBS.tmp.1.dr Static PE information: section name: .didat
Source: is-PRP4U.tmp.1.dr Static PE information: section name: .rodata
Source: is-VDBC5.tmp.1.dr Static PE information: section name: _RDATA
Source: UID Finder 6.11.66.exe.3.dr Static PE information: section name: .bhead8
Source: UID Finder 6.11.66.exe.3.dr Static PE information: section name: .chead8
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_00406518 push 00406555h; ret 0_2_0040654D
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_00408028 push ecx; mov dword ptr [esp], eax 0_2_0040802D
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_0040C218 push eax; ret 0_2_0040C219
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_00408E5C push 00408E8Fh; ret 0_2_00408E87
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004098B4 push 004098F1h; ret 1_2_004098E9
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00456228 push 00456260h; ret 1_2_00456258
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax 1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0045C574 push ecx; mov dword ptr [esp], eax 1_2_0045C579
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00410640 push ecx; mov dword ptr [esp], edx 1_2_00410645
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0040A6C8 push esp; retf 1_2_0040A6D1
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0047E6EC push 0047E7CAh; ret 1_2_0047E7C2
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00412898 push 004128FBh; ret 1_2_004128F3
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004308A0 push ecx; mov dword ptr [esp], eax 1_2_004308A5
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00442E74 push ecx; mov dword ptr [esp], ecx 1_2_00442E78
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00450F04 push 00450F37h; ret 1_2_00450F2F
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0040CF98 push ecx; mov dword ptr [esp], edx 1_2_0040CF9A
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0047323C push ecx; mov dword ptr [esp], edx 1_2_0047323D
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0040546D push eax; ret 1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0040F4F8 push ecx; mov dword ptr [esp], edx 1_2_0040F4FA
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0040553D push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004055BE push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0040563B push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00457A94 push 00457AD8h; ret 1_2_00457AD0
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00419B98 push ecx; mov dword ptr [esp], ecx 1_2_00419B9D
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0047FD40 push ecx; mov dword ptr [esp], ecx 1_2_0047FD45
Source: recordpadsoundrecorder32.exe.1.dr Static PE information: section name: .text entropy: 7.764432846609721
Source: is-UCHQL.tmp.1.dr Static PE information: section name: .text entropy: 7.694137885769827
Source: UID Finder 6.11.66.exe.3.dr Static PE information: section name: .text entropy: 7.764432846609721

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0 3_2_00401A4F
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0 4_2_00401A4F
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0 4_2_0260F851
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-RV2D1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-6P98M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PRP4U.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-C4R5U.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-O2PKH.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-FR4FM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UTKLG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-0C056.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KU10K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-K3HBS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe File created: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KI2RB.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-8ECK7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VDBC5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EAHN0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\tOniaJ21lj.exe File created: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-JNDNQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy) Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe File created: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe Jump to dropped file

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0 3_2_00401A4F
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0 4_2_00401A4F
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0 4_2_0260F851
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 3_2_00402299 StartServiceCtrlDispatcherA, 3_2_00402299
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423B7C
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423B7C
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0047E0A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 1_2_0047E0A8
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0042414C IsIconic,SetActiveWindow,SetFocus, 1_2_0042414C
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00424104 IsIconic,SetActiveWindow, 1_2_00424104
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004182F4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_004182F4
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004227CC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_004227CC
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00417508 IsIconic,GetCapture, 1_2_00417508
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00417C40 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00417C40
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00417C3E IsIconic,SetWindowPos, 1_2_00417C3E
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0044B08C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0044B08C
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary, 3_2_00401B4B
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary, 4_2_00401B4B
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary, 4_2_0260F955
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Window / User API: threadDelayed 9765 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-RV2D1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-6P98M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PRP4U.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-C4R5U.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-O2PKH.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-FR4FM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UTKLG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-0C056.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-K3HBS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KU10K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KI2RB.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-8ECK7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VDBC5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EAHN0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-JNDNQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy) Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 2788 Thread sleep count: 131 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 2788 Thread sleep time: -262000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 760 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 760 Thread sleep time: -2520000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 2788 Thread sleep count: 9765 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 2788 Thread sleep time: -19530000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0047A964 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_0047A964
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00470C84 FindFirstFileA,FindNextFileA,FindClose, 1_2_00470C84
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00451668 FindFirstFileA,GetLastError, 1_2_00451668
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00460594 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00460594
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00492760 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_00492760
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0047884C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_0047884C
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00460A10 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00460A10
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0045F008 FindFirstFileA,FindNextFileA,FindClose, 1_2_0045F008
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_00409A14 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_00409A14
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp File opened: C:\Users\user\AppData Jump to behavior
Source: tOniaJ21lj.tmp, 00000001.00000002.3269392528.0000000000669000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: recordpadsoundrecorder32.exe, 00000004.00000002.3270365274.0000000003310000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3269409364.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\tOniaJ21lj.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_0262016E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 4_2_0262016E
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_0262016E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 4_2_0262016E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00447F60 LoadLibraryExA,LoadLibraryA,GetProcAddress, 1_2_00447F60
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_02606487 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset, 4_2_02606487
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_026194D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_026194D8
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_004739C4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 1_2_004739C4
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_0045B29C GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree, 1_2_0045B29C
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_0260F809 cpuid 4_2_0260F809
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: GetLocaleInfoA, 0_2_0040515C
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: GetLocaleInfoA, 0_2_004051A8
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: GetLocaleInfoA, 1_2_004084D0
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: GetLocaleInfoA, 1_2_0040851C
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00456D8C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 1_2_00456D8C
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp Code function: 1_2_00453F88 GetUserNameA, 1_2_00453F88
Source: C:\Users\user\Desktop\tOniaJ21lj.exe Code function: 0_2_00405C44 GetVersionExA, 0_2_00405C44

Stealing of Sensitive Information
barindex
Yara detected Socks5Systemz
Source: Yara match File source: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3269669582.000000000097E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: recordpadsoundrecorder32.exe PID: 1412, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Socks5Systemz
Source: Yara match File source: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3269669582.000000000097E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: recordpadsoundrecorder32.exe PID: 1412, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1455403 Sample: tOniaJ21lj.exe Startdate: 11/06/2024 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Found malware configuration 2->39 41 Antivirus detection for dropped file 2->41 43 10 other signatures 2->43 7 tOniaJ21lj.exe 2 2->7         started        10 svchost.exe 2->10         started        process3 file4 23 C:\Users\user\AppData\...\tOniaJ21lj.tmp, PE32 7->23 dropped 12 tOniaJ21lj.tmp 11 28 7->12         started        process5 file6 25 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->25 dropped 27 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 12->29 dropped 31 34 other files (23 malicious) 12->31 dropped 15 recordpadsoundrecorder32.exe 1 17 12->15         started        18 recordpadsoundrecorder32.exe 1 2 12->18         started        process7 dnsIp8 33 aaxeeeo.ru 94.156.8.14, 52618, 52621, 52623 NET1-ASBG Bulgaria 15->33 35 194.59.31.219, 2023, 52619, 52622 COMBAHTONcombahtonGmbHDE Germany 15->35 21 C:\ProgramData\...\UID Finder 6.11.66.exe, PE32 18->21 dropped file9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.156.8.14
 aaxeeeo.ru Bulgaria
43561 NET1-ASBG true
194.59.31.219
 unknown Germany
30823 COMBAHTONcombahtonGmbHDE false

Contacted Domains

Name IP Active
aaxeeeo.ru 94.156.8.14 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://aaxeeeo.ru/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e8929d3d true
  • Avira URL Cloud: safe
 unknown
aaxeeeo.ru true
  • Avira URL Cloud: safe
 unknown
http://aaxeeeo.ru/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 true
  • Avira URL Cloud: safe
 unknown