Analysis Report DHL_document11022020680908911.exe

Overview

General Information

Sample Name: DHL_document11022020680908911.exe
Analysis ID: 383099
MD5: dc8e7cde980f05501758f8ce3048682e
SHA1: fca9c2a66cfddfe6a8677e1568ea32ad18dda600
SHA256: e3b80db58c1fa79c3780e68cf7d3ea987fb2615a68077ba3b110cfd3a7cf4de6
Tags: DHLexeNanoCore
Infos:

Most interesting Screenshot:

Detection

NanoCore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Tries to delay execution (extensive OutputDebugStringW loop)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 14%
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe ReversingLabs: Detection: 14%
Multi AV Scanner detection for submitted file
Source: DHL_document11022020680908911.exe ReversingLabs: Detection: 14%

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49703 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49725 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49728 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49732 version: TLS 1.0
Source: DHL_document11022020680908911.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Windows\dll\System.pdb source: DHL_document11022020680908911.exe, 00000010.00000003.401824383.000000000717D000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: DHL_document11022020680908911.exe, 00000010.00000003.401824383.000000000717D000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: DHL_document11022020680908911.exe, 00000010.00000003.410586054.000000000714D000.00000004.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49723 -> 185.191.231.252:54984
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49726 -> 185.191.231.252:54984
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49730 -> 185.191.231.252:54984
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49733 -> 185.191.231.252:54984
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49737 -> 185.191.231.252:54984
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49738 -> 185.191.231.252:54984
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49740 -> 185.191.231.252:54984
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49743 -> 185.191.231.252:54984
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49748 -> 185.191.231.252:54984
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49754 -> 185.191.231.252:54984
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49757 -> 185.191.231.252:54984
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49723 -> 185.191.231.252:54984
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.191.231.252 185.191.231.252
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49703 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49725 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49728 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49732 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: svchost.exe, 00000023.00000003.481947215.000001EB10364000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-06T17:58:28.3925008Z||.||9f1af5de-a917-4d59-b623-fd59991517bf||1152921505693355901||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-06T17:57:25.3126054Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000023.00000003.473525877.000001EB1036D000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000023.00000003.473525877.000001EB1036D000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000023.00000003.473525877.000001EB1036D000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000023.00000003.473971258.000001EB1037E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000023.00000003.473971258.000001EB1037E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000023.00000003.473971258.000001EB1037E000.00000004.00000001.sdmp String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000023.00000003.474637686.000001EB103BB000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000023.00000003.474637686.000001EB103BB000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000023.00000003.474637686.000001EB103BB000.00000004.00000001.sdmp String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
Source: svchost.exe, 00000023.00000003.482095331.000001EB10375000.00000004.00000001.sdmp String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy | LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-06T17:58:28.3925008Z||.||9f1af5de-a917-4d59-b623-fd59991517bf||1152921505693355901||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-06T17:57:25.3126054Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free* texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: unknown DNS traffic detected: queries for: myliverpoolnews.cf
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: DHL_document11022020680908911.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchost.exe, 00000023.00000003.466629025.000001EB10342000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: DHL_document11022020680908911.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: DHL_document11022020680908911.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: svchost.exe, 00000023.00000003.466629025.000001EB10342000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: DHL_document11022020680908911.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: DHL_document11022020680908911.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: svchost.exe, 00000023.00000003.466629025.000001EB10342000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: DHL_document11022020680908911.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: DHL_document11022020680908911.exe, 00000000.00000003.231282357.00000000058C1000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?02ae22cf14047
Source: DHL_document11022020680908911.exe, 00000000.00000002.296377596.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://myliverpoolnews.cf
Source: DHL_document11022020680908911.exe, 00000000.00000002.296377596.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp, svchost.exe, 00000023.00000003.466629025.000001EB10342000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: DHL_document11022020680908911.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: DHL_document11022020680908911.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000003.397779990.0000000007DAC000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/BreadcrumbList
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/ListItem
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/NewsArticle
Source: DHL_document11022020680908911.exe, 00000000.00000002.296377596.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000003.397779990.0000000007DAC000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 00000011.00000002.315276492.000002886D613000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: DHL_document11022020680908911.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com/CPS0v
Source: svchost.exe, 00000023.00000003.474637686.000001EB103BB000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.473525877.000001EB1036D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.473971258.000001EB1037E000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000023.00000003.474637686.000001EB103BB000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.473525877.000001EB1036D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.473971258.000001EB1037E000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000023.00000003.461376428.000001EB103BA000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000023.00000003.461376428.000001EB103BA000.00000004.00000001.sdmp String found in binary or memory: http://www.hulu.com/terms
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
Source: svchost.exe, 00000011.00000003.311386179.000002886D65A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000003.310953123.000002886D64A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000011.00000003.311767855.000002886D641000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000011.00000003.311767855.000002886D641000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000011.00000003.311386179.000002886D65A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.310953123.000002886D64A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.311386179.000002886D65A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.289025096.000002886D632000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp String found in binary or memory: https://felix.data.tm-awx.com
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
Source: powershell.exe, 00000003.00000003.397779990.0000000007DAC000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://github.com/ded/script.js
Source: DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.live
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
Source: svchost.exe, 00000023.00000003.474637686.000001EB103BB000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.473525877.000001EB1036D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.473971258.000001EB1037E000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
Source: DHL_document11022020680908911.exe, 00000000.00000002.296593502.0000000003035000.00000004.00000001.sdmp String found in binary or memory: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal
Source: DHL_document11022020680908911.exe, 00000000.00000002.296593502.0000000003035000.00000004.00000001.sdmp String found in binary or memory: https://myliverpoolnews.cf4=k
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp String found in binary or memory: https://quantcast.mgr.consensu.org
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://reachplc.hub.loginradius.com&quot;
Source: DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp String found in binary or memory: https://s2-prod.liverpool.com
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp String found in binary or memory: https://s2-prod.liverpool.com/
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://s2-prod.mirror.co.uk/
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://static.hotjar.com/c/hotjar-
Source: svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.315276492.000002886D613000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.289025096.000002886D632000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.311553816.000002886D640000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.289025096.000002886D632000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000011.00000003.311901316.000002886D63B000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000011.00000003.310953123.000002886D64A000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://trinitymirror.grapeshot.co.uk/
Source: DHL_document11022020680908911.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
Source: svchost.exe, 00000023.00000003.461376428.000001EB103BA000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000023.00000003.461376428.000001EB103BA000.00000004.00000001.sdmp String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/champions-league
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
Source: svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/premier-league
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/transfers
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
Source: svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-jones-jurgen-klopp-19941053
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
Source: svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
Source: svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
Source: svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
Source: svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/schedule/
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/search/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: DHL_document11022020680908911.exe, 00000000.00000002.294586472.000000000145B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)
Source: DHL_document11022020680908911.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_document11022020680908911.exe
Creates files inside the system directory
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Code function: 0_2_02FB2718 0_2_02FB2718
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Code function: 0_2_02FB2E90 0_2_02FB2E90
PE / OLE file has an invalid certificate
Source: DHL_document11022020680908911.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: DHL_document11022020680908911.exe, 00000000.00000003.229076348.00000000014D9000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs DHL_document11022020680908911.exe
Source: DHL_document11022020680908911.exe, 00000000.00000002.296330308.0000000002FD0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs DHL_document11022020680908911.exe
Source: DHL_document11022020680908911.exe, 00000000.00000002.294586472.000000000145B000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs DHL_document11022020680908911.exe
Source: DHL_document11022020680908911.exe, 00000000.00000002.293255563.00000000010F7000.00000004.00000010.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL_document11022020680908911.exe
Source: DHL_document11022020680908911.exe, 0000000E.00000002.287412215.00000000001E6000.00000002.00020000.sdmp Binary or memory string: OriginalFilename vs DHL_document11022020680908911.exe
Source: DHL_document11022020680908911.exe, 00000010.00000000.288168526.0000000000FB6000.00000002.00020000.sdmp Binary or memory string: OriginalFilename vs DHL_document11022020680908911.exe
Source: DHL_document11022020680908911.exe Binary or memory string: OriginalFilename vs DHL_document11022020680908911.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll
Source: classification engine Classification label: mal100.evad.winEXE@43/34@8/4
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File created: C:\Program Files (x86)\DHCP Monitor
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File created: C:\Users\user\AppData\Local\??????????????????_Inc Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4792:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{56106451-c434-463f-9b08-031bd1e7ffa5}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkjtufbf.qos.ps1 Jump to behavior
Source: DHL_document11022020680908911.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: DHL_document11022020680908911.exe ReversingLabs: Detection: 14%
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File read: C:\Users\user\Desktop\DHL_document11022020680908911.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe 'C:\Users\user\Desktop\DHL_document11022020680908911.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe C:\Users\user\Desktop\DHL_document11022020680908911.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe C:\Users\user\Desktop\DHL_document11022020680908911.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe C:\Users\user\Desktop\DHL_document11022020680908911.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe C:\Users\user\Desktop\DHL_document11022020680908911.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DHL_document11022020680908911.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_document11022020680908911.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Windows\dll\System.pdb source: DHL_document11022020680908911.exe, 00000010.00000003.401824383.000000000717D000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: DHL_document11022020680908911.exe, 00000010.00000003.401824383.000000000717D000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: DHL_document11022020680908911.exe, 00000010.00000003.410586054.000000000714D000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: DHL_document11022020680908911.exe Static PE information: 0xB5100D24 [Mon Apr 5 21:20:36 2066 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Code function: 0_2_02FB4C63 push eax; iretd 0_2_02FB4C69

Persistence and Installation Behavior:

barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Jump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Executable created and started: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
Drops PE files
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Jump to dropped file

Boot Survival:

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce YjhEmlfdsnrvbvoUtFds Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce YjhEmlfdsnrvbvoUtFds Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce YjhEmlfdsnrvbvoUtFds Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce YjhEmlfdsnrvbvoUtFds Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce YjhEmlfdsnrvbvoUtFds Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe File opened: C:\Users\user\Desktop\DHL_document11022020680908911.exe:Zone.Identifier read attributes | delete
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Section loaded: OutputDebugStringW count: 106
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Section loaded: OutputDebugStringW count: 112
Contains capabilities to detect virtual machines
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4249 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2926 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4843 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1992 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2690
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Window / User API: threadDelayed 5533
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Window / User API: threadDelayed 2168
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe TID: 5884 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe TID: 6052 Thread sleep count: 99 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe TID: 4904 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe TID: 2848 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1520 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1520 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6488 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6680 Thread sleep count: 4843 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6824 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6664 Thread sleep count: 1992 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396 Thread sleep time: -23980767295822402s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5248 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5248 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe TID: 6512 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe TID: 1596 Thread sleep time: -820000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe TID: 5680 Thread sleep count: 100 > 30
Source: C:\Windows\System32\svchost.exe TID: 1220 Thread sleep time: -210000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Thread delayed: delay time: 922337203685477
Source: svchost.exe, 00000001.00000002.253935389.000001B410B40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.339964964.000001C6EEC60000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.402859163.0000018ABE540000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: DHL_document11022020680908911.exe, 00000000.00000003.231282357.00000000058C1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW(A
Source: svchost.exe, 00000014.00000003.448192999.0000000005143000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL_document11022020680908911.exe, 00000000.00000003.231282357.00000000058C1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000001.00000002.253935389.000001B410B40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.339964964.000001C6EEC60000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.402859163.0000018ABE540000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000001.00000002.253935389.000001B410B40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.339964964.000001C6EEC60000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.402859163.0000018ABE540000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000001.00000002.253935389.000001B410B40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.339964964.000001C6EEC60000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.402859163.0000018ABE540000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Network Connect: 172.67.150.212 443
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Domain query: myliverpoolnews.cf
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe C:\Users\user\Desktop\DHL_document11022020680908911.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe C:\Users\user\Desktop\DHL_document11022020680908911.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Process created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Queries volume information: C:\Users\user\Desktop\DHL_document11022020680908911.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Queries volume information: C:\Users\user\Desktop\DHL_document11022020680908911.exe VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383099 Sample: DHL_document11022020680908911.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 3 other signatures 2->77 7 DHL_document11022020680908911.exe 18 12 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 12 other processes 2->16 process3 dnsIp4 65 myliverpoolnews.cf 172.67.150.212, 443, 49701, 49703 CLOUDFLARENETUS United States 7->65 57 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 7->57 dropped 59 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 7->59 dropped 61 C:\...\DHL_document11022020680908911.exe.log, ASCII 7->61 dropped 81 Creates an autostart registry key pointing to binary in C:\Windows 7->81 83 Adds a directory exclusion to Windows Defender 7->83 85 Tries to delay execution (extensive OutputDebugStringW loop) 7->85 87 Drops PE files with benign system names 7->87 18 DHL_document11022020680908911.exe 7->18         started        23 powershell.exe 22 7->23         started        25 powershell.exe 24 7->25         started        35 2 other processes 7->35 89 System process connects to network (likely due to code injection or exploit) 12->89 91 Multi AV Scanner detection for dropped file 12->91 93 Drops executables to the windows directory (C:\Windows) and starts them 12->93 27 powershell.exe 12->27         started        29 powershell.exe 12->29         started        31 powershell.exe 12->31         started        37 2 other processes 12->37 67 127.0.0.1 unknown unknown 16->67 69 192.168.2.1 unknown unknown 16->69 95 Changes security center settings (notifications, updates, antivirus, firewall) 16->95 33 MpCmdRun.exe 16->33         started        file5 signatures6 process7 dnsIp8 63 185.191.231.252, 49723, 49726, 49729 UNREAL-SERVERSUS Netherlands 18->63 53 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->53 dropped 55 C:\Users\user\AppData\Roaming\...\run.dat, data 18->55 dropped 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->79 39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.191.231.252
 unknown Netherlands
64236 UNREAL-SERVERSUS true
172.67.150.212
 myliverpoolnews.cf United States
13335 CLOUDFLARENETUS true

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
myliverpoolnews.cf 172.67.150.212 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html true
  • Avira URL Cloud: safe
 unknown
http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html true
  • Avira URL Cloud: safe
 unknown