Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tOniaJ21lj.exe

Overview

General Information

Sample name:tOniaJ21lj.exe
renamed because original name is a hash value
Original sample name:fa367a7d44377d2c3f684c3912fec827.exe
Analysis ID:1455403
MD5:fa367a7d44377d2c3f684c3912fec827
SHA1:cb9e24a00431a7cccecf333b5d4ec34785389191
SHA256:7256e9f673b78c62aae25f78902c393d758262202e8ab4e4b4f1d5d01cd4cd12
Tags:exeSocks5Systemz
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • tOniaJ21lj.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\tOniaJ21lj.exe" MD5: FA367A7D44377D2C3F684C3912FEC827)
    • tOniaJ21lj.tmp (PID: 2836 cmdline: "C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp" /SL5="$10474,4719378,54272,C:\Users\user\Desktop\tOniaJ21lj.exe" MD5: 8EF7001015E126E74BC41268504CA1E2)
      • recordpadsoundrecorder32.exe (PID: 4368 cmdline: "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i MD5: 1F7ED6F21708581170C4BF77C64A9D32)
      • recordpadsoundrecorder32.exe (PID: 1412 cmdline: "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s MD5: 1F7ED6F21708581170C4BF77C64A9D32)
  • svchost.exe (PID: 5356 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["aaxeeeo.ru"]}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-OIVVM.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000004.00000000.2036104577.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
            00000003.00000000.2033651879.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000004.00000002.3269669582.000000000097E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: recordpadsoundrecorder32.exe PID: 1412JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  3.0.recordpadsoundrecorder32.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    4.0.recordpadsoundrecorder32.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                      Sigma Signatures

                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 5356, ProcessName: svchost.exe

                      Snort Signatures

                      Timestamp:06/11/24-19:43:31.633412
                      SID:2049467
                      Source Port:52643
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:42:57.171208
                      SID:2049467
                      Source Port:52623
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:26.414769
                      SID:2049467
                      Source Port:52640
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:49.420215
                      SID:2049467
                      Source Port:52655
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:40.013828
                      SID:2049467
                      Source Port:52649
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:07.601992
                      SID:2049467
                      Source Port:52629
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:53.737196
                      SID:2049467
                      Source Port:52658
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:01.749476
                      SID:2049467
                      Source Port:52626
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:10.177838
                      SID:2049467
                      Source Port:52631
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:16.249164
                      SID:2049467
                      Source Port:52635
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:44:00.280298
                      SID:2049467
                      Source Port:52663
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:06.376941
                      SID:2049467
                      Source Port:52628
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:00.233904
                      SID:2049467
                      Source Port:52625
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:27.013923
                      SID:2049467
                      Source Port:52641
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:52.482822
                      SID:2049467
                      Source Port:52657
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:11.744384
                      SID:2049467
                      Source Port:52632
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:15.633502
                      SID:2049467
                      Source Port:52634
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:36.034207
                      SID:2049467
                      Source Port:52646
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:45.320897
                      SID:2049467
                      Source Port:52652
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:57.593794
                      SID:2049467
                      Source Port:52661
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:18.748451
                      SID:2049467
                      Source Port:52637
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:08.901351
                      SID:2049467
                      Source Port:52630
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:13.030652
                      SID:2049467
                      Source Port:52633
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:58.873534
                      SID:2049467
                      Source Port:52662
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:42:55.670104
                      SID:2049467
                      Source Port:52621
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:17.515047
                      SID:2049467
                      Source Port:52636
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:34.748394
                      SID:2049467
                      Source Port:52645
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:38.697972
                      SID:2049467
                      Source Port:52648
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:41.371967
                      SID:2049467
                      Source Port:52650
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:47.586566
                      SID:2049467
                      Source Port:52653
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:23.899062
                      SID:2049467
                      Source Port:52639
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:48.123287
                      SID:2049467
                      Source Port:52654
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:34.149022
                      SID:2049467
                      Source Port:52644
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:20.092414
                      SID:2049467
                      Source Port:52638
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:37.280010
                      SID:2049467
                      Source Port:52647
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:56.313009
                      SID:2049467
                      Source Port:52660
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:42.763270
                      SID:2049467
                      Source Port:52651
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:05.666289
                      SID:2049467
                      Source Port:52627
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:50.748248
                      SID:2049467
                      Source Port:52656
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:55.016662
                      SID:2049467
                      Source Port:52659
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:43:29.603330
                      SID:2049467
                      Source Port:52642
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:42:54.899608
                      SID:2049467
                      Source Port:52618
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:06/11/24-19:42:58.732763
                      SID:2049467
                      Source Port:52624
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: tOniaJ21lj.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmpAvira: detection malicious, Label: ADWARE/AVI.ICLoader.jwrbl
                      Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeAvira: detection malicious, Label: HEUR/AGEN.1314993
                      Found malware configuration
                      Source: recordpadsoundrecorder32.exe.1412.4.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["aaxeeeo.ru"]}
                      Multi AV Scanner detection for dropped file
                      Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeReversingLabs: Detection: 42%
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmpReversingLabs: Detection: 87%
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)ReversingLabs: Detection: 87%
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeReversingLabs: Detection: 42%
                      Multi AV Scanner detection for submitted file
                      Source: tOniaJ21lj.exeReversingLabs: Detection: 21%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmpJoe Sandbox ML: detected
                      Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045B864 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045B864
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045B918 ArcFourCrypt,1_2_0045B918
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045B930 ArcFourCrypt,1_2_0045B930
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130
                      Source: is-UTKLG.tmp.1.drBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_195b4133-0

                      Compliance

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeUnpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeUnpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack
                      Source: tOniaJ21lj.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: Binary string: msvcp120.amd64.pdb source: is-FR4FM.tmp.1.dr
                      Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: is-K3HBS.tmp.1.dr
                      Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-8ECK7.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: is-RV2D1.tmp.1.dr
                      Source: Binary string: msvcr120.amd64.pdb source: is-C4R5U.tmp.1.dr
                      Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: is-EAHN0.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: is-RV2D1.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-KI2RB.tmp.1.dr
                      Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb source: is-JNDNQ.tmp.1.dr
                      Source: Binary string: C:\msys64\home\--\src\openh264-2.0.0_x64\openh264.pdb source: is-PRP4U.tmp.1.dr
                      Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb## source: is-JNDNQ.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: is-KU10K.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: is-0C056.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb33 source: is-0C056.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: is-KU10K.tmp.1.dr
                      Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-8ECK7.tmp.1.dr
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047A964 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047A964
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00470C84 FindFirstFileA,FindNextFileA,FindClose,1_2_00470C84
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00451668 FindFirstFileA,GetLastError,1_2_00451668
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00460594 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00460594
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00492760 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00492760
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047884C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047884C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00460A10 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00460A10
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045F008 FindFirstFileA,FindNextFileA,FindClose,1_2_0045F008
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\userJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppDataJump to behavior

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52618 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52621 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52623 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52624 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52625 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52626 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52627 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52628 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52629 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52630 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52631 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52632 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52633 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52634 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52635 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52636 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52637 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52638 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52639 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52640 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52641 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52642 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52643 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52644 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52645 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52646 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52647 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52648 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52649 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52650 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52651 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52652 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52653 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52654 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52655 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52656 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52657 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52658 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52659 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52660 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52661 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52662 -> 94.156.8.14:80
                      Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:52663 -> 94.156.8.14:80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: aaxeeeo.ru
                      Source: global trafficTCP traffic: 192.168.2.5:52619 -> 194.59.31.219:2023
                      Source: Joe Sandbox ViewIP Address: 94.156.8.14 94.156.8.14
                      Source: Joe Sandbox ViewIP Address: 194.59.31.219 194.59.31.219
                      Source: Joe Sandbox ViewASN Name: NET1-ASBG NET1-ASBG
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e8929d3d HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownTCP traffic detected without corresponding DNS query: 194.59.31.219
                      Source: unknownUDP traffic detected without corresponding DNS query: 152.89.198.214
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_026072A7 Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,4_2_026072A7
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e8929d3d HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f895a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee9d9b39ca689110 HTTP/1.1Host: aaxeeeo.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                      Source: global trafficDNS traffic detected: DNS query: aaxeeeo.ru
                      Source: recordpadsoundrecorder32.exe, 00000004.00000002.3269409364.0000000000969000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3270365274.0000000003351000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.156.8.14/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995874f8
                      Source: recordpadsoundrecorder32.exe, 00000004.00000002.3269409364.000000000095F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.156.8.14/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
                      Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
                      Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: is-VDBC5.tmp.1.drString found in binary or memory: http://lame.sf.net
                      Source: is-VDBC5.tmp.1.drString found in binary or memory: http://lame.sf.net32bits64bits
                      Source: is-VDBC5.tmp.1.drString found in binary or memory: http://lame.sf.netB
                      Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drString found in binary or memory: http://ocsp.sectigo.com0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://ocsp.thawte.com0
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0?
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://ocsps.ssl.com0Q
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://qt-project.org/xml/features/report-start-end-entity
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharData
                      Source: is-8ECK7.tmp.1.drString found in binary or memory: http://qtav.org2
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://t2.symcb.com0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crl0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crt0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://tl.symcd.com0&
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                      Source: tOniaJ21lj.tmp, tOniaJ21lj.tmp, 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tOniaJ21lj.tmp.0.dr, is-O2PKH.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                      Source: tOniaJ21lj.exe, 00000000.00000003.2017542262.0000000002091000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000002.3269480886.0000000002091000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000003.2017464437.0000000002310000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000003.2022441507.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000002.3269794199.0000000002328000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000003.2019413603.0000000002328000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000003.2019304134.0000000003280000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000002.3269392528.00000000006AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mpegla.com
                      Source: tOniaJ21lj.exe, 00000000.00000003.2018211873.0000000002098000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000003.2017811455.0000000002310000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, tOniaJ21lj.tmp, 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tOniaJ21lj.tmp.0.dr, is-O2PKH.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                      Source: tOniaJ21lj.exe, 00000000.00000003.2018211873.0000000002098000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.exe, 00000000.00000003.2017811455.0000000002310000.00000004.00001000.00020000.00000000.sdmp, tOniaJ21lj.tmp, 00000001.00000002.3269095275.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tOniaJ21lj.tmp.0.dr, is-O2PKH.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://xml.org/sax/features/namespaces
                      Source: is-KI2RB.tmp.1.drString found in binary or memory: http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech
                      Source: is-UTKLG.tmp.1.drString found in binary or memory: https://curl.haxx.se/V
                      Source: is-UTKLG.tmp.1.drString found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
                      Source: is-UTKLG.tmp.1.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                      Source: is-6P98M.tmp.1.dr, is-8ECK7.tmp.1.dr, is-PRP4U.tmp.1.dr, is-VDBC5.tmp.1.dr, is-JNDNQ.tmp.1.dr, is-UTKLG.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0
                      Source: is-UCHQL.tmp.1.drString found in binary or memory: https://www.ssl.com/repository0
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: https://www.thawte.com/cps0/
                      Source: is-KI2RB.tmp.1.dr, is-RV2D1.tmp.1.dr, is-KU10K.tmp.1.dr, is-0C056.tmp.1.drString found in binary or memory: https://www.thawte.com/repository0W
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0042EEF4 NtdllDefWindowProc_A,1_2_0042EEF4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00423AF4 NtdllDefWindowProc_A,1_2_00423AF4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00412548 NtdllDefWindowProc_A,1_2_00412548
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00455800 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00455800
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00473F28 NtdllDefWindowProc_A,1_2_00473F28
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0042E6DC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E6DC
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_0040936C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00453FD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00453FD0
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_004083300_2_00408330
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0046C5C41_2_0046C5C4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00434CFC1_2_00434CFC
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047B5CE1_2_0047B5CE
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00463B8C1_2_00463B8C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004822A01_2_004822A0
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004884441_2_00488444
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004444A41_2_004444A4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045C87C1_2_0045C87C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004308A01_2_004308A0
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00444B9C1_2_00444B9C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00444FA81_2_00444FA8
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004813C81_2_004813C8
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0043D7841_2_0043D784
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004598501_2_00459850
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00465BDC1_2_00465BDC
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0042FD301_2_0042FD30
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00443EFC1_2_00443EFC
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00433FF81_2_00433FF8
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 3_2_004010513_2_00401051
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 3_2_00401C263_2_00401C26
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 3_2_00406C873_2_00406C87
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_004010514_2_00401051
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_00401C264_2_00401C26
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_00406C874_2_00406C87
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0260F0284_2_0260F028
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0261E1FD4_2_0261E1FD
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_02622E244_2_02622E24
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0261E6154_2_0261E615
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_02619EF44_2_02619EF4
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_02624E994_2_02624E99
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_026254104_2_02625410
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0261ACAA4_2_0261ACAA
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_026184B24_2_026184B2
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0261DD094_2_0261DD09
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy) 7623B596CFD989413FEA2FE355607B029EF8E64067275CBF81863688128738B0
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: String function: 026253A0 appears 137 times
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: String function: 02618B50 appears 37 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00405964 appears 103 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00406A2C appears 38 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 0045618C appears 68 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00403400 appears 59 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00455F80 appears 95 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00451F4C appears 88 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 0040785C appears 43 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00408B74 appears 45 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00403494 appears 84 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00445808 appears 45 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00445AD8 appears 59 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00403684 appears 211 times
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: String function: 00433F10 appears 32 times
                      Source: tOniaJ21lj.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: tOniaJ21lj.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                      Source: tOniaJ21lj.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
                      Source: tOniaJ21lj.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: tOniaJ21lj.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                      Source: tOniaJ21lj.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                      Source: is-O2PKH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                      Source: is-O2PKH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
                      Source: is-O2PKH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                      Source: is-O2PKH.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                      Source: is-O2PKH.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                      Source: is-VDBC5.tmp.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                      Source: tOniaJ21lj.exe, 00000000.00000003.2018211873.0000000002098000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs tOniaJ21lj.exe
                      Source: tOniaJ21lj.exe, 00000000.00000003.2017811455.0000000002310000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs tOniaJ21lj.exe
                      Source: tOniaJ21lj.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: recordpadsoundrecorder32.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: is-UCHQL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: UID Finder 6.11.66.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@8/49@1/2
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_02610870 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,4_2_02610870
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_0040936C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00453FD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00453FD0
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004547F8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_004547F8
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateServiceA,3_2_00402588
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateServiceA,4_2_0040D117
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00409AD0 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409AD0
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 3_2_00402299 StartServiceCtrlDispatcherA,3_2_00402299
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 3_2_00402299 StartServiceCtrlDispatcherA,3_2_00402299
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_00402299 StartServiceCtrlDispatcherA,4_2_00402299
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound RecorderJump to behavior
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeFile created: C:\Users\user\AppData\Local\Temp\is-A11IR.tmpJump to behavior
                      Source: Yara matchFile source: 3.0.recordpadsoundrecorder32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.recordpadsoundrecorder32.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.2036104577.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2033651879.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-OIVVM.tmp, type: DROPPED
                      Source: Yara matchFile source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe, type: DROPPED
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: tOniaJ21lj.exeReversingLabs: Detection: 21%
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeFile read: C:\Users\user\Desktop\tOniaJ21lj.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\tOniaJ21lj.exe "C:\Users\user\Desktop\tOniaJ21lj.exe"
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeProcess created: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp "C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp" /SL5="$10474,4719378,54272,C:\Users\user\Desktop\tOniaJ21lj.exe"
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeProcess created: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp "C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmp" /SL5="$10474,4719378,54272,C:\Users\user\Desktop\tOniaJ21lj.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -iJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -sJump to behavior
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: shfolder.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: msacm32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: winmmbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: winmmbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: riched20.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: usp10.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: msls31.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: explorerframe.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: sfc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpWindow found: window name: TMainFormJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: tOniaJ21lj.exeStatic file information: File size 4969628 > 1048576
                      Source: Binary string: msvcp120.amd64.pdb source: is-FR4FM.tmp.1.dr
                      Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: is-K3HBS.tmp.1.dr
                      Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-8ECK7.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: is-RV2D1.tmp.1.dr
                      Source: Binary string: msvcr120.amd64.pdb source: is-C4R5U.tmp.1.dr
                      Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: is-EAHN0.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: is-RV2D1.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-KI2RB.tmp.1.dr
                      Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb source: is-JNDNQ.tmp.1.dr
                      Source: Binary string: C:\msys64\home\--\src\openh264-2.0.0_x64\openh264.pdb source: is-PRP4U.tmp.1.dr
                      Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb## source: is-JNDNQ.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: is-KU10K.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: is-0C056.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb33 source: is-0C056.tmp.1.dr
                      Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: is-KU10K.tmp.1.dr
                      Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-8ECK7.tmp.1.dr

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeUnpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack .text:ER;.bhead8:R;.data:W;.rsrc:R;.chead8:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeUnpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack .text:ER;.bhead8:R;.data:W;.rsrc:R;.chead8:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeUnpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeUnpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00447F60 LoadLibraryExA,LoadLibraryA,GetProcAddress,1_2_00447F60
                      Source: recordpadsoundrecorder32.exe.1.drStatic PE information: section name: .bhead8
                      Source: recordpadsoundrecorder32.exe.1.drStatic PE information: section name: .chead8
                      Source: is-UCHQL.tmp.1.drStatic PE information: section name: .vcp1208
                      Source: is-K3HBS.tmp.1.drStatic PE information: section name: .didat
                      Source: is-PRP4U.tmp.1.drStatic PE information: section name: .rodata
                      Source: is-VDBC5.tmp.1.drStatic PE information: section name: _RDATA
                      Source: UID Finder 6.11.66.exe.3.drStatic PE information: section name: .bhead8
                      Source: UID Finder 6.11.66.exe.3.drStatic PE information: section name: .chead8
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00406518 push 00406555h; ret 0_2_0040654D
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00408028 push ecx; mov dword ptr [esp], eax0_2_0040802D
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00408E5C push 00408E8Fh; ret 0_2_00408E87
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004098B4 push 004098F1h; ret 1_2_004098E9
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00456228 push 00456260h; ret 1_2_00456258
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax1_2_004062CD
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045C574 push ecx; mov dword ptr [esp], eax1_2_0045C579
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00410640 push ecx; mov dword ptr [esp], edx1_2_00410645
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0040A6C8 push esp; retf 1_2_0040A6D1
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047E6EC push 0047E7CAh; ret 1_2_0047E7C2
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00412898 push 004128FBh; ret 1_2_004128F3
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004308A0 push ecx; mov dword ptr [esp], eax1_2_004308A5
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00442E74 push ecx; mov dword ptr [esp], ecx1_2_00442E78
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00450F04 push 00450F37h; ret 1_2_00450F2F
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0040CF98 push ecx; mov dword ptr [esp], edx1_2_0040CF9A
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047323C push ecx; mov dword ptr [esp], edx1_2_0047323D
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0040F4F8 push ecx; mov dword ptr [esp], edx1_2_0040F4FA
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00457A94 push 00457AD8h; ret 1_2_00457AD0
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00419B98 push ecx; mov dword ptr [esp], ecx1_2_00419B9D
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047FD40 push ecx; mov dword ptr [esp], ecx1_2_0047FD45
                      Source: recordpadsoundrecorder32.exe.1.drStatic PE information: section name: .text entropy: 7.764432846609721
                      Source: is-UCHQL.tmp.1.drStatic PE information: section name: .text entropy: 7.694137885769827
                      Source: UID Finder 6.11.66.exe.3.drStatic PE information: section name: .text entropy: 7.764432846609721

                      Persistence and Installation Behavior

                      barindex
                      Contains functionality to infect the boot sector
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive03_2_00401A4F
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive04_2_00401A4F
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive04_2_0260F851
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-RV2D1.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-6P98M.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_shfoldr.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PRP4U.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-C4R5U.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-O2PKH.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-FR4FM.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UTKLG.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_setup64.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_RegDLL.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-0C056.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KU10K.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-K3HBS.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeFile created: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KI2RB.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-8ECK7.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VDBC5.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EAHN0.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_iscrypt.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy)Jump to dropped file
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeFile created: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-JNDNQ.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeFile created: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exeJump to dropped file

                      Boot Survival

                      barindex
                      Contains functionality to infect the boot sector
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive03_2_00401A4F
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive04_2_00401A4F
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive04_2_0260F851
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 3_2_00402299 StartServiceCtrlDispatcherA,3_2_00402299
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423B7C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423B7C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047E0A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0047E0A8
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0042414C IsIconic,SetActiveWindow,SetFocus,1_2_0042414C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00424104 IsIconic,SetActiveWindow,1_2_00424104
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004182F4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_004182F4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004227CC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_004227CC
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00417508 IsIconic,GetCapture,1_2_00417508
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00417C40 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417C40
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00417C3E IsIconic,SetWindowPos,1_2_00417C3E
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0044B08C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044B08C
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_00401B4B
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_00401B4B
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_0260F955
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeWindow / User API: threadDelayed 9765Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-RV2D1.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-6P98M.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_shfoldr.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PRP4U.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-C4R5U.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-O2PKH.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-FR4FM.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UTKLG.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_setup64.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_RegDLL.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-0C056.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-K3HBS.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KU10K.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-KI2RB.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-8ECK7.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VDBC5.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EAHN0.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-UCHQL.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NO26A.tmp\_isetup\_iscrypt.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-JNDNQ.tmpJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy)Jump to dropped file
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-6440
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-3206
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 2788Thread sleep count: 131 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 2788Thread sleep time: -262000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 760Thread sleep count: 42 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 760Thread sleep time: -2520000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 2788Thread sleep count: 9765 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 2788Thread sleep time: -19530000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047A964 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047A964
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00470C84 FindFirstFileA,FindNextFileA,FindClose,1_2_00470C84
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00451668 FindFirstFileA,GetLastError,1_2_00451668
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00460594 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00460594
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00492760 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00492760
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0047884C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047884C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00460A10 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00460A10
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045F008 FindFirstFileA,FindNextFileA,FindClose,1_2_0045F008
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00409A14 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409A14
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeThread delayed: delay time: 60000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\userJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpFile opened: C:\Users\user\AppDataJump to behavior
                      Source: tOniaJ21lj.tmp, 00000001.00000002.3269392528.0000000000669000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: recordpadsoundrecorder32.exe, 00000004.00000002.3270365274.0000000003310000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3269409364.0000000000878000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeAPI call chain: ExitProcess graph end nodegraph_0-6298
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeAPI call chain: ExitProcess graph end nodegraph_3-3468
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0262016E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_0262016E
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0262016E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_0262016E
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00447F60 LoadLibraryExA,LoadLibraryA,GetProcAddress,1_2_00447F60
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_02606487 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,4_2_02606487
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_026194D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_026194D8
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_004739C4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_004739C4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_0045B29C GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree,1_2_0045B29C
                      Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exeCode function: 4_2_0260F809 cpuid 4_2_0260F809
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: GetLocaleInfoA,0_2_0040515C
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: GetLocaleInfoA,0_2_004051A8
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: GetLocaleInfoA,1_2_004084D0
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: GetLocaleInfoA,1_2_0040851C
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00456D8C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_00456D8C
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                      Source: C:\Users\user\AppData\Local\Temp\is-A11IR.tmp\tOniaJ21lj.tmpCode function: 1_2_00453F88 GetUserNameA,1_2_00453F88
                      Source: C:\Users\user\Desktop\tOniaJ21lj.exeCode function: 0_2_00405C44 GetVersionExA,0_2_00405C44

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Socks5Systemz
                      Source: Yara matchFile source: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3269669582.000000000097E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: recordpadsoundrecorder32.exe PID: 1412, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Socks5Systemz
                      Source: Yara matchFile source: 00000004.00000002.3270097670.0000000002601000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3269669582.000000000097E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: recordpadsoundrecorder32.exe PID: 1412, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Exploitation for Privilege Escalation                      		1
                      Deobfuscate/Decode Files or Information                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		2
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts2
                      Service Execution                      		4
                      Windows Service                      		1
                      DLL Side-Loading                      		3
                      Obfuscated Files or Information                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop ProtocolData from Removable Media2
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Bootkit                      		1
                      Access Token Manipulation                      		22
                      Software Packing                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook4
                      Windows Service                      		1
                      DLL Side-Loading                      		NTDS35
                      System Information Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                      Process Injection                      		1
                      Masquerading                      		LSA Secrets141
                      Security Software Discovery                      		SSHKeylogging112
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials21
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Access Token Manipulation                      		DCSync11
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                      Process Injection                      		Proc Filesystem3
                      System Owner/User Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Bootkit                      		/etc/passwd and /etc/shadow1
                      Remote System Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Network Configuration Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.