Windows Analysis Report
9MgoW3Y1ti.exe

Overview

General Information

Sample name: 9MgoW3Y1ti.exe
renamed because original name is a hash value
Original sample name: b5782418b0d93145d5e7d5ff762c50e3.exe
Analysis ID: 1455413
MD5: b5782418b0d93145d5e7d5ff762c50e3
SHA1: 8ad9d47fcd5cc8668c316f2ed8b9ce0f44b9adfb
SHA256: 2364f287be72dd7aa1f3cf19ff86314a02b62f4b19792e1e06abad3567d1900c
Tags: exeSocks5Systemz
Infos:

Detection

Socks5Systemz
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 9MgoW3Y1ti.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp Avira: detection malicious, Label: ADWARE/AVI.ICLoader.jwrbl
Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe Avira: detection malicious, Label: HEUR/AGEN.1314993
Found malware configuration
Source: recordpadsoundrecorder32.exe.5068.4.memstrmin Malware Configuration Extractor: Socks5Systemz {"C2 list": ["aadolui.ru"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy) ReversingLabs: Detection: 87%
Multi AV Scanner detection for submitted file
Source: 9MgoW3Y1ti.exe ReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp Joe Sandbox ML: detected
Source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0045B864 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion, 2_2_0045B864
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0045B918 ArcFourCrypt, 2_2_0045B918
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0045B930 ArcFourCrypt, 2_2_0045B930
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_10001000 ISCryptGetVersion, 2_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_10001130 ArcFourCrypt, 2_2_10001130
Source: is-39U3O.tmp.2.dr Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_280956d0-c

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Unpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Unpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack
Uses 32bit PE files
Source: 9MgoW3Y1ti.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: is-S4BNJ.tmp.2.dr
Source: Binary string: msvcp120.amd64.pdb source: is-DL0CV.tmp.2.dr
Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-U97AK.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: is-823LG.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: is-823LG.tmp.2.dr
Source: Binary string: msvcr120.amd64.pdb source: is-MH9PV.tmp.2.dr
Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: is-HD7FV.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-3D4M0.tmp.2.dr
Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb source: is-TTPUD.tmp.2.dr
Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb## source: is-TTPUD.tmp.2.dr
Source: Binary string: C:\msys64\home\--\src\openh264-2.0.0_x64\openh264.pdb source: is-1KIT8.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: is-3VSKS.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: is-J8S40.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb33 source: is-J8S40.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: is-3VSKS.tmp.2.dr
Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-U97AK.tmp.2.dr
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0047A964 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 2_2_0047A964
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00470C84 FindFirstFileA,FindNextFileA,FindClose, 2_2_00470C84
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00451668 FindFirstFileA,GetLastError, 2_2_00451668
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00460594 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 2_2_00460594
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00492760 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 2_2_00492760
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0047884C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 2_2_0047884C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00460A10 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 2_2_00460A10
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0045F008 FindFirstFileA,FindNextFileA,FindClose, 2_2_0045F008
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49720 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49721 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49723 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49725 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49726 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49729 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49730 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49731 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49732 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49733 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49734 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49735 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49736 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49737 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49738 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49739 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49740 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49741 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49742 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49743 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49744 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49746 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49747 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49748 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49749 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49750 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49751 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49752 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49753 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49754 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49755 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49756 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49757 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49758 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49759 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49760 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49761 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49762 -> 94.156.8.14:80
Source: Traffic Snort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.6:49763 -> 94.156.8.14:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: aadolui.ru
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49722 -> 194.59.31.219:2023
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 94.156.8.14 94.156.8.14
Source: Joe Sandbox View IP Address: 194.59.31.219 194.59.31.219
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NET1-ASBG NET1-ASBG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown TCP traffic detected without corresponding DNS query: 194.59.31.219
Source: unknown UDP traffic detected without corresponding DNS query: 91.211.247.248
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B472A7 Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free, 4_2_00B472A7
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic HTTP traffic detected: GET /search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 HTTP/1.1Host: aadolui.ruUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic DNS traffic detected: DNS query: aadolui.ru
Source: recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://94.156.8.14/
Source: recordpadsoundrecorder32.exe, 00000004.00000002.3445138665.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3445876972.0000000003410000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3445676449.0000000003354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://94.156.8.14/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f499
Source: recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://94.156.8.14/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d
Source: is-4KSHT.tmp.2.dr String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: is-4KSHT.tmp.2.dr String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
Source: is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: is-4KSHT.tmp.2.dr String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: is-4KSHT.tmp.2.dr String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: is-4KSHT.tmp.2.dr String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: is-PU0LK.tmp.2.dr String found in binary or memory: http://lame.sf.net
Source: is-PU0LK.tmp.2.dr String found in binary or memory: http://lame.sf.net32bits64bits
Source: is-PU0LK.tmp.2.dr String found in binary or memory: http://lame.sf.netB
Source: is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr String found in binary or memory: http://ocsp.thawte.com0
Source: is-4KSHT.tmp.2.dr String found in binary or memory: http://ocsps.ssl.com0
Source: is-4KSHT.tmp.2.dr String found in binary or memory: http://ocsps.ssl.com0?
Source: is-4KSHT.tmp.2.dr String found in binary or memory: http://ocsps.ssl.com0Q
Source: is-3D4M0.tmp.2.dr String found in binary or memory: http://qt-project.org/xml/features/report-start-end-entity
Source: is-3D4M0.tmp.2.dr String found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharData
Source: is-U97AK.tmp.2.dr String found in binary or memory: http://qtav.org2
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr String found in binary or memory: http://t2.symcb.com0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr String found in binary or memory: http://tl.symcd.com0&
Source: is-3D4M0.tmp.2.dr String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
Source: is-3D4M0.tmp.2.dr String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 9MgoW3Y1ti.tmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 9MgoW3Y1ti.tmp.0.dr, is-VS29P.tmp.2.dr String found in binary or memory: http://www.innosetup.com/
Source: 9MgoW3Y1ti.exe, 00000000.00000003.2172810157.00000000020A1000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.exe, 00000000.00000002.3438960879.00000000020A1000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.exe, 00000000.00000003.2172716859.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000003.2175399806.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000003.2175492186.0000000002128000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3439045776.000000000061D000.00000004.00000020.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3439620387.0000000002128000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mpegla.com
Source: 9MgoW3Y1ti.exe, 00000000.00000003.2173371991.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.exe, 00000000.00000003.2173880239.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 9MgoW3Y1ti.tmp.0.dr, is-VS29P.tmp.2.dr String found in binary or memory: http://www.remobjects.com/ps
Source: 9MgoW3Y1ti.exe, 00000000.00000003.2173371991.0000000002350000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.exe, 00000000.00000003.2173880239.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, 9MgoW3Y1ti.tmp, 00000002.00000002.3436818094.0000000000401000.00000020.00000001.01000000.00000004.sdmp, 9MgoW3Y1ti.tmp.0.dr, is-VS29P.tmp.2.dr String found in binary or memory: http://www.remobjects.com/psU
Source: is-4KSHT.tmp.2.dr String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: is-3D4M0.tmp.2.dr String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: is-3D4M0.tmp.2.dr String found in binary or memory: http://xml.org/sax/features/namespaces
Source: is-3D4M0.tmp.2.dr String found in binary or memory: http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech
Source: is-39U3O.tmp.2.dr String found in binary or memory: https://curl.haxx.se/V
Source: is-39U3O.tmp.2.dr String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: is-39U3O.tmp.2.dr String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: is-EMQ3A.tmp.2.dr, is-TTPUD.tmp.2.dr, is-PU0LK.tmp.2.dr, is-U97AK.tmp.2.dr, is-1KIT8.tmp.2.dr, is-39U3O.tmp.2.dr String found in binary or memory: https://sectigo.com/CPS0
Source: is-4KSHT.tmp.2.dr String found in binary or memory: https://www.ssl.com/repository0
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: is-J8S40.tmp.2.dr, is-3VSKS.tmp.2.dr, is-823LG.tmp.2.dr, is-3D4M0.tmp.2.dr String found in binary or memory: https://www.thawte.com/repository0W
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0042EEF4 NtdllDefWindowProc_A, 2_2_0042EEF4
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00423AF4 NtdllDefWindowProc_A, 2_2_00423AF4
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00412548 NtdllDefWindowProc_A, 2_2_00412548
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00455800 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 2_2_00455800
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00473F28 NtdllDefWindowProc_A, 2_2_00473F28
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0042E6DC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 2_2_0042E6DC
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_0040936C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00453FD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 2_2_00453FD0
Detected potential crypto function
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_00408330 0_2_00408330
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0046C5C4 2_2_0046C5C4
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00434CFC 2_2_00434CFC
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0047B5CE 2_2_0047B5CE
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00463B8C 2_2_00463B8C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004822A0 2_2_004822A0
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00488444 2_2_00488444
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004444A4 2_2_004444A4
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0045C87C 2_2_0045C87C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004308A0 2_2_004308A0
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00444B9C 2_2_00444B9C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00444FA8 2_2_00444FA8
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004813C8 2_2_004813C8
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0043D784 2_2_0043D784
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00459850 2_2_00459850
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00465BDC 2_2_00465BDC
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0042FD30 2_2_0042FD30
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00443EFC 2_2_00443EFC
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00433FF8 2_2_00433FF8
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 3_2_00401051 3_2_00401051
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 3_2_00401C26 3_2_00401C26
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 3_2_00406C87 3_2_00406C87
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00401051 4_2_00401051
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00401C26 4_2_00401C26
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00406C87 4_2_00406C87
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B4F028 4_2_00B4F028
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B5E1FD 4_2_00B5E1FD
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B584B2 4_2_00B584B2
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B5ACAA 4_2_00B5ACAA
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B65410 4_2_00B65410
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B5DD09 4_2_00B5DD09
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B64E99 4_2_00B64E99
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B59EF4 4_2_00B59EF4
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B62E24 4_2_00B62E24
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B5E615 4_2_00B5E615
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy) 7623B596CFD989413FEA2FE355607B029EF8E64067275CBF81863688128738B0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 00405964 appears 103 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 00406A2C appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 0045618C appears 68 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 00403400 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 00455F80 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 00451F4C appears 88 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 0040785C appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 00408B74 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 00445808 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 00445AD8 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 00403684 appears 211 times
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: String function: 00433F10 appears 32 times
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: String function: 00B653A0 appears 138 times
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: String function: 00B58B50 appears 37 times
PE file contains executable resources (Code or Archives)
Source: 9MgoW3Y1ti.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 9MgoW3Y1ti.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 9MgoW3Y1ti.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: 9MgoW3Y1ti.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: 9MgoW3Y1ti.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 9MgoW3Y1ti.tmp.0.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-VS29P.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-VS29P.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-VS29P.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-VS29P.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-VS29P.tmp.2.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-PU0LK.tmp.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: 9MgoW3Y1ti.exe, 00000000.00000003.2173371991.0000000002350000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs 9MgoW3Y1ti.exe
Source: 9MgoW3Y1ti.exe, 00000000.00000003.2173880239.00000000020A8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs 9MgoW3Y1ti.exe
Uses 32bit PE files
Source: 9MgoW3Y1ti.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: recordpadsoundrecorder32.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: _RegDLL.tmp.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: is-4KSHT.tmp.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: UID Finder 6.11.66.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/49@1/2
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B50870 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError, 4_2_00B50870
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_0040936C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00453FD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 2_2_00453FD0
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004547F8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA, 2_2_004547F8
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateServiceA, 3_2_00402588
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateServiceA, 4_2_0040D117
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_00409AD0 FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_00409AD0
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 3_2_00402299 StartServiceCtrlDispatcherA, 3_2_00402299
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 3_2_00402299 StartServiceCtrlDispatcherA, 3_2_00402299
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00402299 StartServiceCtrlDispatcherA, 4_2_00402299
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder Jump to behavior
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe File created: C:\Users\user\AppData\Local\Temp\is-O879I.tmp Jump to behavior
Source: Yara match File source: 4.0.recordpadsoundrecorder32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.recordpadsoundrecorder32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.2196454307.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2199461093.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-377H9.tmp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe, type: DROPPED
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 9MgoW3Y1ti.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe File read: C:\Users\user\Desktop\9MgoW3Y1ti.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\9MgoW3Y1ti.exe "C:\Users\user\Desktop\9MgoW3Y1ti.exe"
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Process created: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp "C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp" /SL5="$203EC,4916934,54272,C:\Users\user\Desktop\9MgoW3Y1ti.exe"
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Process created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Process created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Process created: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp "C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp" /SL5="$203EC,4916934,54272,C:\Users\user\Desktop\9MgoW3Y1ti.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Process created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -i Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Process created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe "C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe" -s Jump to behavior
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.networking.connectivity.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 9MgoW3Y1ti.exe Static file information: File size 5167185 > 1048576
Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: is-S4BNJ.tmp.2.dr
Source: Binary string: msvcp120.amd64.pdb source: is-DL0CV.tmp.2.dr
Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb++ source: is-U97AK.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: is-823LG.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: is-823LG.tmp.2.dr
Source: Binary string: msvcr120.amd64.pdb source: is-MH9PV.tmp.2.dr
Source: Binary string: d:\agent\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: is-HD7FV.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Xml.pdb source: is-3D4M0.tmp.2.dr
Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb source: is-TTPUD.tmp.2.dr
Source: Binary string: C:\msys64\home\--\src\ffmpeg\libavdevice\avdevice-58.pdb## source: is-TTPUD.tmp.2.dr
Source: Binary string: C:\msys64\home\--\src\openh264-2.0.0_x64\openh264.pdb source: is-1KIT8.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: is-3VSKS.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: is-J8S40.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb33 source: is-J8S40.tmp.2.dr
Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: is-3VSKS.tmp.2.dr
Source: Binary string: D:\Work\_\QtAV\QtAV-Desktop_Qt_5_15_1_MSVC2019_64bit\lib_win_x86_64\QtAVWidgets1.pdb source: is-U97AK.tmp.2.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Unpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack .text:ER;.bhead8:R;.data:W;.rsrc:R;.chead8:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Unpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack .text:ER;.bhead8:R;.data:W;.rsrc:R;.chead8:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Unpacked PE file: 3.2.recordpadsoundrecorder32.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Unpacked PE file: 4.2.recordpadsoundrecorder32.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00447F60 LoadLibraryExA,LoadLibraryA,GetProcAddress, 2_2_00447F60
PE file contains sections with non-standard names
Source: recordpadsoundrecorder32.exe.2.dr Static PE information: section name: .bhead8
Source: recordpadsoundrecorder32.exe.2.dr Static PE information: section name: .chead8
Source: is-S4BNJ.tmp.2.dr Static PE information: section name: .didat
Source: is-1KIT8.tmp.2.dr Static PE information: section name: .rodata
Source: is-PU0LK.tmp.2.dr Static PE information: section name: _RDATA
Source: is-4KSHT.tmp.2.dr Static PE information: section name: .vcp1208
Source: UID Finder 6.11.66.exe.3.dr Static PE information: section name: .bhead8
Source: UID Finder 6.11.66.exe.3.dr Static PE information: section name: .chead8
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_00406518 push 00406555h; ret 0_2_0040654D
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_0040C024 push cs; retn 0000h 0_2_0040C02F
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_00408028 push ecx; mov dword ptr [esp], eax 0_2_0040802D
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_0040C218 push eax; ret 0_2_0040C219
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_00408E5C push 00408E8Fh; ret 0_2_00408E87
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004098B4 push 004098F1h; ret 2_2_004098E9
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00456228 push 00456260h; ret 2_2_00456258
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004062CC push ecx; mov dword ptr [esp], eax 2_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0045C574 push ecx; mov dword ptr [esp], eax 2_2_0045C579
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00410640 push ecx; mov dword ptr [esp], edx 2_2_00410645
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0040A6C8 push esp; retf 2_2_0040A6D1
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0047E6EC push 0047E7CAh; ret 2_2_0047E7C2
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00412898 push 004128FBh; ret 2_2_004128F3
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004308A0 push ecx; mov dword ptr [esp], eax 2_2_004308A5
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00442E74 push ecx; mov dword ptr [esp], ecx 2_2_00442E78
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00450F04 push 00450F37h; ret 2_2_00450F2F
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0040CF98 push ecx; mov dword ptr [esp], edx 2_2_0040CF9A
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0047323C push ecx; mov dword ptr [esp], edx 2_2_0047323D
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0040546D push eax; ret 2_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0040F4F8 push ecx; mov dword ptr [esp], edx 2_2_0040F4FA
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0040553D push 00405749h; ret 2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004055BE push 00405749h; ret 2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0040563B push 00405749h; ret 2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004056A0 push 00405749h; ret 2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00457A94 push 00457AD8h; ret 2_2_00457AD0
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00419B98 push ecx; mov dword ptr [esp], ecx 2_2_00419B9D
Source: recordpadsoundrecorder32.exe.2.dr Static PE information: section name: .text entropy: 7.76464029877587
Source: is-4KSHT.tmp.2.dr Static PE information: section name: .text entropy: 7.694137885769827
Source: UID Finder 6.11.66.exe.3.dr Static PE information: section name: .text entropy: 7.76464029877587

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0 3_2_00401A4F
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0 4_2_00401A4F
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0 4_2_00B4F851
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VS29P.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-S4BNJ.tmp Jump to dropped file
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe File created: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PU0LK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-3D4M0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-HD7FV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-U97AK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-MH9PV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-J8S40.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EMQ3A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-823LG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-TTPUD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe File created: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-39U3O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-3VSKS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-DL0CV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-1KIT8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File created: C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy) Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe File created: C:\ProgramData\UID Finder 6.11.66\UID Finder 6.11.66.exe Jump to dropped file

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0 3_2_00401A4F
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0 4_2_00401A4F
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive0 4_2_00B4F851
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 3_2_00402299 StartServiceCtrlDispatcherA, 3_2_00402299
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 2_2_00423B7C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 2_2_00423B7C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0047E0A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 2_2_0047E0A8
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0042414C IsIconic,SetActiveWindow,SetFocus, 2_2_0042414C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00424104 IsIconic,SetActiveWindow, 2_2_00424104
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004182F4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 2_2_004182F4
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004227CC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 2_2_004227CC
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00417508 IsIconic,GetCapture, 2_2_00417508
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00417C40 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 2_2_00417C40
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00417C3E IsIconic,SetWindowPos, 2_2_00417C3E
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0044B08C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_0044B08C
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary, 3_2_00401B4B
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary, 4_2_00401B4B
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary, 4_2_00B4F955
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Window / User API: threadDelayed 1330 Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Window / User API: threadDelayed 8571 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-VS29P.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-S4BNJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-PU0LK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp120.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-3D4M0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-4KSHT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-U97AK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libmp3lame.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-HD7FV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-MH9PV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5OpenGL.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcp140_1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-J8S40.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\mousehelper.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-EMQ3A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-823LG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Svg.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5Xml.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-TTPUD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-39U3O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\Qt5WinExtras.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M9SH4.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\avdevice-58.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-3VSKS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\msvcr120.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-DL0CV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\libcurl.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\openh264.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\is-1KIT8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\RecordPad Sound Recorder\QtAVWidgets1.dll (copy) Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 4596 Thread sleep count: 1330 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 4596 Thread sleep time: -2660000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 4364 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 4364 Thread sleep time: -2460000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 4596 Thread sleep count: 8571 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe TID: 4596 Thread sleep time: -17142000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0047A964 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 2_2_0047A964
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00470C84 FindFirstFileA,FindNextFileA,FindClose, 2_2_00470C84
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00451668 FindFirstFileA,GetLastError, 2_2_00451668
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00460594 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 2_2_00460594
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00492760 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 2_2_00492760
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0047884C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 2_2_0047884C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00460A10 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 2_2_00460A10
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0045F008 FindFirstFileA,FindNextFileA,FindClose, 2_2_0045F008
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_00409A14 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_00409A14
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, recordpadsoundrecorder32.exe, 00000004.00000002.3439366230.0000000000B37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B6016E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 4_2_00B6016E
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B6016E RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 4_2_00B6016E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00447F60 LoadLibraryExA,LoadLibraryA,GetProcAddress, 2_2_00447F60
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B46487 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset, 4_2_00B46487
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B594D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00B594D8
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_004739C4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 2_2_004739C4
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_0045B29C GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree, 2_2_0045B29C
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\RecordPad Sound Recorder\recordpadsoundrecorder32.exe Code function: 4_2_00B5801D cpuid 4_2_00B5801D
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: GetLocaleInfoA, 0_2_0040515C
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: GetLocaleInfoA, 0_2_004051A8
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: GetLocaleInfoA, 2_2_004084D0
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: GetLocaleInfoA, 2_2_0040851C
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00456D8C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 2_2_00456D8C
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-O879I.tmp\9MgoW3Y1ti.tmp Code function: 2_2_00453F88 GetUserNameA, 2_2_00453F88
Source: C:\Users\user\Desktop\9MgoW3Y1ti.exe Code function: 0_2_00405C44 GetVersionExA, 0_2_00405C44

Stealing of Sensitive Information
barindex
Yara detected Socks5Systemz
Source: Yara match File source: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3438919346.00000000008B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: recordpadsoundrecorder32.exe PID: 5068, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Socks5Systemz
Source: Yara match File source: 00000004.00000002.3442121569.0000000000B41000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3438919346.00000000008B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: recordpadsoundrecorder32.exe PID: 5068, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1455413 Sample: 9MgoW3Y1ti.exe Startdate: 11/06/2024 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Found malware configuration 2->39 41 Antivirus detection for dropped file 2->41 43 10 other signatures 2->43 7 9MgoW3Y1ti.exe 2 2->7         started        10 svchost.exe 2->10         started        process3 file4 23 C:\Users\user\AppData\...\9MgoW3Y1ti.tmp, PE32 7->23 dropped 12 9MgoW3Y1ti.tmp 11 28 7->12         started        process5 file6 25 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->25 dropped 27 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 12->29 dropped 31 34 other files (23 malicious) 12->31 dropped 15 recordpadsoundrecorder32.exe 1 17 12->15         started        18 recordpadsoundrecorder32.exe 1 2 12->18         started        process7 dnsIp8 33 aadolui.ru 94.156.8.14, 49720, 49721, 49723 NET1-ASBG Bulgaria 15->33 35 194.59.31.219, 2023, 49722, 49724 COMBAHTONcombahtonGmbHDE Germany 15->35 21 C:\ProgramData\...\UID Finder 6.11.66.exe, PE32 18->21 dropped file9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.156.8.14
 aadolui.ru Bulgaria
43561 NET1-ASBG true
194.59.31.219
 unknown Germany
30823 COMBAHTONcombahtonGmbHDE false

Contacted Domains

Name IP Active
aadolui.ru 94.156.8.14 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://aadolui.ru/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ff710c2e79c923c true
  • Avira URL Cloud: safe
 unknown
aadolui.ru true
  • Avira URL Cloud: safe
 unknown
http://aadolui.ru/search/?q=67e28dd83d5df2201606a51c7c27d78406abdd88be4b12eab517aa5c96bd86e4908f4996148ab2865b77f80ebad9c40f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74bfb0e2807e12571c17f3e83fe16c1e7949833c46791 true
  • Avira URL Cloud: safe
 unknown