Analysis Report KHAWATMI CO.IMPORT & EXPORT_PDF.exe

Overview

General Information

Sample Name:	KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Analysis ID:	385328
MD5:	ee8919ff7b5f2a89b6c1984a6a3b7fbc
SHA1:	cafb42ed9189ff950da2b14d7ab3aeab229d8165
SHA256:	5074a2f201d924bdf62f0a58bca9cf0a5536af84b3b90bc6915a5cf36dfe019f
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Contains functionality to hide a thread from the debugger

Contains functionality to register a low level keyboard hook

Drops executable to a common third party application directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Allocates a big amount of memory (probably used for heap spraying)

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 6.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ugooo@jumatsedekah.comB1]ir;)]vV*%mail.jumatsedekah.com"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe

ReversingLabs: Detection: 12%

Multi AV Scanner detection for submitted file

Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe

ReversingLabs: Detection: 12%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 20.2.firefox.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.17.57:443 -> 192.168.2.4:49730 version: TLS 1.0

Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbI source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: o.pdb2 source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000016.00000003.759425165.0000000004FB2000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.743032911.0000000002ACF000.00000004.00000001.sdmp
Source:	Binary string: System.pdb" source: WerFault.exe, 00000016.00000003.759425165.0000000004FB2000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb$ source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.742360122.0000000002AC3000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb7 source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
Source:	Binary string: bcrypt.pdb" source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbhG source: WerFault.exe, 00000016.00000003.759369421.0000000004F90000.00000004.00000001.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000009.00000003.680034398.0000000005488000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759271967.0000000005153000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbs source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000016.00000003.759425165.0000000004FB2000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
Source:	Binary string: shcore.pdb] source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.744010464.0000000002AD5000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb> source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
Source:	Binary string: System.Windows.Forms.pdb0 source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000009.00000003.680034398.0000000005488000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbr source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbQ source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbu source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: rtutils.pdbG source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbt source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: version.pdbC source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERF393.tmp.dmp.22.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: firefox.PDB source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbe source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
Source:	Binary string: WLDP.pdbc source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdbe source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbL source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb5 source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.680571543.0000000005474000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759299892.0000000005141000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: iVisualBasic.pdb source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.663878392.0000000000BF8000.00000004.00000010.sdmp, firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdba source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.743032911.0000000002ACF000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERF393.tmp.dmp.22.dr
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: version.pdb. source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERF393.tmp.dmp.22.dr
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb[ source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbz< source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759271967.0000000005153000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WERF393.tmp.dmp.22.dr
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb_ source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: KHAWATMI CO.IMPORT & EXPORT_PDF.PDB source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.663878392.0000000000BF8000.00000004.00000010.sdmp
Source:	Binary string: ml.ni.pdb" source: WerFault.exe, 00000016.00000003.759271967.0000000005153000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb[ source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb,< source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb] source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000016.00000003.759271967.0000000005153000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb6 source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.PDB source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.663878392.0000000000BF8000.00000004.00000010.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdbI source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
Source:	Binary string: c.pdbis source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdby source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: clrjit.pdbW source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb8 source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdbE source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: .pdb:h source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.663878392.0000000000BF8000.00000004.00000010.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb0 source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.742360122.0000000002AC3000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdba source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERF393.tmp.dmp.22.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb))" source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
Source:	Binary string: urlmon.pdb&< source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
Source:	Binary string: ore.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbH source: WERF393.tmp.dmp.22.dr
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: secur32.pdbo source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb~ source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.744010464.0000000002AD5000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbo source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdby source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.680571543.0000000005474000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759299892.0000000005141000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\firefox\firefox.PDB source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbw source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp

Software Vulnerabilities:

Allocates a big amount of memory (probably used for heap spraying)

Source: firefox.exe

Memory has grown: Private usage: 5MB later: 28MB

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49771 -> 101.50.1.12:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49772 -> 101.50.1.12:587

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49771 -> 101.50.1.12:587

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7E01452C0469561541C13E621DA21CFA.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: bornforthis.mlConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.17.57 104.21.17.57
Source: Joe Sandbox View	IP Address: 101.50.1.12 101.50.1.12

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BEON-AS-IDPTBeonIntermediaID BEON-AS-IDPTBeonIntermediaID

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49771 -> 101.50.1.12:587

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.21.17.57:443 -> 192.168.2.4:49730 version: TLS 1.0

Source: global traffic

Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer\|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer\|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer\|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer\|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook\|follow\|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter\|follow\|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections & Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer\|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer\|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer\|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer\|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook\|follow\|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter\|follow\|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections & Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header\|MainLogo\|Image\|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header\|SectionLabel\|Text\|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header\|DropDown\|Text\|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header\|DropDown\|Text\|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header\|SectionLabel\|Text\|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header\|DropDown\|Text\|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header\|SectionLabel\|Text\|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook\|follow\|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter\|follow\|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header\|MainLogo\|Image\|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header\|SectionLabel\|Text\|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header\|DropDown\|Text\|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header\|DropDown\|Text\|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header\|SectionLabel\|Text\|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header\|DropDown\|Text\|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header\|SectionLabel\|Text\|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook\|follow\|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter\|follow\|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster's feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle\|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster's feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle\|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmp, firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmp	String found in binary or memory: http://ZUOsUg.com
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664598431.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: http://bornforthis.ml
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe	String found in binary or memory: http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalgl
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000003.865790831.000000000157B000.00000004.00000001.sdmp	String found in binary or memory: http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalgli
Source: firefox.exe, firefox.exe, 00000017.00000002.742548778.00000000005B2000.00000002.00020000.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe	String found in binary or memory: http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7E01
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664643567.0000000002DEA000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664643567.0000000002DEA000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664643567.0000000002DEA000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910913383.000000000343A000.00000004.00000001.sdmp	String found in binary or memory: http://jumatsedekah.com
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910913383.000000000343A000.00000004.00000001.sdmp	String found in binary or memory: http://mail.jumatsedekah.com
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664643567.0000000002DEA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/BreadcrumbList
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/ListItem
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/NewsArticle
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664598431.0000000002DA1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664643567.0000000002DEA000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910913383.000000000343A000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910949295.0000000003449000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910822738.00000000033EB000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://WmLbJDkaOPbXW.org
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664634640.0000000002DD5000.00000004.00000001.sdmp	String found in binary or memory: https://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7E0
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664634640.0000000002DD5000.00000004.00000001.sdmp	String found in binary or memory: https://bornforthis.ml46kX
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://felix.data.tm-awx.com
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json"
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/ded/script.js
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://mab.data.tm-awx.com/rhs"
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://quantcast.mgr.consensu.org
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://reachplc.hub.loginradius.com"
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://s2-prod.liverpool.com
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://s2-prod.liverpool.com/
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://s2-prod.mirror.co.uk/
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: https://static.hotjar.com/c/hotjar-
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://trinitymirror.grapeshot.co.uk/
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/champions-league
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/curtis-user
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/premier-league
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/all-about/transfers
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-user-jurgen-klopp-19941053
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/schedule/
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.liverpool.com/search/
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.906435816.0000000000402000.00000040.00000001.sdmp, firefox.exe, 0000000D.00000002.752549672.0000000003F25000.00000004.00000001.sdmp, firefox.exe, 00000014.00000002.906456012.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmp, firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe

Code function: 6_2_01320BD8 SetWindowsHookExW 0000000D,00000000,?,?

6_2_01320BD8

Installs a global keyboard hook

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Code function: 0_2_0125B5C0 NtSetInformationThread,	0_2_0125B5C0
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Code function: 0_2_0125C298 NtSetInformationThread,	0_2_0125C298
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 13_2_025EB160 NtSetInformationThread,	13_2_025EB160
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 13_2_025EBE38 NtSetInformationThread,	13_2_025EBE38

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Code function: 0_2_01253240	0_2_01253240
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Code function: 0_2_01252A40	0_2_01252A40
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Code function: 0_2_01250AD8	0_2_01250AD8
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Code function: 6_2_0132A3E0	6_2_0132A3E0
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Code function: 6_2_01321349	6_2_01321349
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 13_2_025E2678	13_2_025E2678
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 13_2_025E2C90	13_2_025E2C90
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 20_2_026C46A0	20_2_026C46A0
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 20_2_026C45B0	20_2_026C45B0
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 20_2_026CD280	20_2_026CD280
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 20_2_05D16508	20_2_05D16508
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 20_2_05D17120	20_2_05D17120
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 20_2_05D190D8	20_2_05D190D8
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 20_2_05D16850	20_2_05D16850

Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664566237.0000000002D60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666124062.0000000003E89000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664573593.0000000002D70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.668566145.0000000005280000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.674828496.0000000007220000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000000.642139729.0000000000A66000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamebadenberg.exe4 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTvZX Vud.exe2 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.674746922.00000000070B0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.674746922.00000000070B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.674548443.0000000006FE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000005.00000002.660029475.00000000003B6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamebadenberg.exe4 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Binary or memory string: OriginalFilename vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.906435816.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameTvZX Vud.exe2 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.913337240.00000000061F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.909245400.00000000014CA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000003.865790831.000000000157B000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamebadenberg.exe4 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.914133046.00000000065F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.907031413.00000000010F8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Binary or memory string: OriginalFilenamebadenberg.exe4 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7036
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7092
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe'
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 2116
Source: unknown	Process created: C:\Users\user\AppData\Roaming\firefox\firefox.exe 'C:\Users\user\AppData\Roaming\firefox\firefox.exe'
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Process created: C:\Users\user\AppData\Roaming\firefox\firefox.exe C:\Users\user\AppData\Roaming\firefox\firefox.exe
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7036 -s 1480
Source: unknown	Process created: C:\Users\user\AppData\Roaming\firefox\firefox.exe 'C:\Users\user\AppData\Roaming\firefox\firefox.exe'
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Process created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Process created: C:\Users\user\AppData\Roaming\firefox\firefox.exe C:\Users\user\AppData\Roaming\firefox\firefox.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1	Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Code function: 0_2_0125C169 push 7406FA69h; retf	0_2_0125C175
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Code function: 0_2_0125578C push E8FFFFFFh; retf	0_2_01255791
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Code function: 0_2_0125C998 push es; iretd	0_2_0125C9A4
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 13_2_025E25F0 pushfd ; retf	13_2_025E266A
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 20_2_026CC4F3 push C30276C0h; ret	20_2_026CC506
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Code function: 20_2_026CDB7E push ebp; retf	20_2_026CDB7F

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefox			Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefox			Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Window / User API: threadDelayed 1851	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Window / User API: threadDelayed 7991	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Window / User API: threadDelayed 2708
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Window / User API: threadDelayed 7138

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe TID: 6680	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe TID: 6400	Thread sleep count: 1851 > 30	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe TID: 6400	Thread sleep count: 7991 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe TID: 6916	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe TID: 4296	Thread sleep count: 2708 > 30
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe TID: 4296	Thread sleep count: 7138 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.668566145.0000000005280000.00000002.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.913337240.00000000061F0000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.692691406.0000000005110000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.911257980.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.778133704.0000000005160000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000009.00000002.692550967.0000000004EF8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.776928113.0000000004AFB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.909453794.0000000001534000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllssorId
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.668566145.0000000005280000.00000002.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.913337240.00000000061F0000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.692691406.0000000005110000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.911257980.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.778133704.0000000005160000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000016.00000002.777071737.0000000004B4A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW,
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.668566145.0000000005280000.00000002.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.913337240.00000000061F0000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.692691406.0000000005110000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.911257980.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.778133704.0000000005160000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000009.00000002.692499246.0000000004E30000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW Filter-0000
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.668566145.0000000005280000.00000002.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.913337240.00000000061F0000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.692691406.0000000005110000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.911257980.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.778133704.0000000005160000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Memory written: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Memory written: C:\Users\user\AppData\Roaming\firefox\firefox.exe base: 400000 value starts with: 4D5A			Jump to behavior

Analysis Report KHAWATMI CO.IMPORT & EXPORT_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.909875853.0000000001AC0000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.908930147.00000000011C0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.909875853.0000000001AC0000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.908930147.00000000011C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.909875853.0000000001AC0000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.908930147.00000000011C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.909875853.0000000001AC0000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.908930147.00000000011C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Queries volume information: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Queries volume information: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Users\user\AppData\Roaming\firefox\firefox.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Users\user\AppData\Roaming\firefox\firefox.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Users\user\AppData\Roaming\firefox\firefox.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: Yara match	File source: 00000006.00000002.906435816.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.906456012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.752549672.0000000003F25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.669235815.0000000005DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KHAWATMI CO.IMPORT & EXPORT_PDF.exe PID: 7092, type: MEMORY
Source: Yara match	File source: Process Memory Space: firefox.exe PID: 4244, type: MEMORY
Source: Yara match	File source: Process Memory Space: KHAWATMI CO.IMPORT & EXPORT_PDF.exe PID: 1288, type: MEMORY
Source: Yara match	File source: Process Memory Space: firefox.exe PID: 7036, type: MEMORY
Source: Yara match	File source: 13.2.firefox.exe.3f5b270.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.firefox.exe.3f25450.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.firefox.exe.3f5b270.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.firefox.exe.3f25450.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.3f4a790.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.firefox.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.3f4a790.10.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.17.57	bornforthis.ml	United States		13335	CLOUDFLARENETUS	false
101.50.1.12	jumatsedekah.com	Indonesia		55688	BEON-AS-IDPTBeonIntermediaID	true

ID:	385328
Product:	CloudBasic
Start time:	10:35:38
Start date:	12.04.2021
Sample:	KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ee8919ff7b5f2a89b6c1984a6a3b7fbc
SHA1:	cafb42ed9189ff950da2b14d7ab3aeab229d8165
SHA256:	5074a2f201d924bdf62f0a58bca9cf0a5536af84b3b90bc6915a5cf36dfe019f
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_KHAWATMI CO.IMPO_5234892f60a6fc5cef568f6b8afb785bfdf6873_4cf11da3_169e8dc4\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	614CD40560D2F1AE24C65C67F48DBCA8	23BB50587EDA603FA58D4D00A06105731F062E30	AB798557AC1101A866AFDD9A3325D7719626E6CF9031A8D98DE7EF8370BBCA80
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_firefox.exe_da79bea013ab5e47f0eb56f8dd08072c163a39f_ba7a16af_0b6b26b8\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	1DCAFC9E0A1FE42DFF449CE8036433EB	74FA0A7E3FBE44C88E1B8376AF4F577D0632E884	92984F7316368AA1618E88A512016B4749FD2A02A1409F05CBB67079C437F5CE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6685.tmp.dmp	Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Mon Apr 12 08:36:39 2021, 0x1205a4 type	42C1FB9F4CE0CFC32A0904E50BE45919	631ABCA1E2072F507A94CAF26B2DE5D548795CC2	C11EE84BC220CA30D1D5F92F45A3ABEA2ADDE4C60A102CBD24B4BDD2581FA6DF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BA4.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	A5701DF86BC066037EFF410775FA82CC	773AD153C56598F356F53142F82F37A7CF773C14	FF3C076F66B7E86826B4316CC2B1C9934EBA89F7064D17CD6140A5ECE296D647
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D5B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	5CC01E89734FCD6A59789232F26DD085	2FD39A03BD06831D8875199BC355354AE3A370B5	8459CC6AD4B01E5A9F54E88984B1F573E5E337FABD6FEE00FE7F212BB81A3E71
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB61.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	6322E7ED1D213C45920D7EF413D46B08	5DB9FDCB93CA913A60F313740C1D13377E8B4B89	27057CC602CFE2E8B14830984F861A8FD4FADDCAFAA8526C68920A7BD47F1F3A
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREED.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	3C6670A2C048F6160EE1C581AB152FBA	BF045F69001F2919E62BD9C91C1093EEFA215CD5	6FA4F7424250E351D3C6C45ABC7441C355DB8954837F0544B7F45B0FF78AFA5E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF393.tmp.dmp	Mini DuMP crash report, 14 streams, CheckSum 0x00000004, Mon Apr 12 08:37:15 2021, 0x1205a4 type	FEDE48B84755D61284B8EDE7215D3605	76537FFA44F8427A74B083A936764127F53E404C	58F7604C299301810A20DF92CCA1906237EF185FAC3F3CEFBEBB14DB60F82F79
C:\Users\user\AppData\Roaming\firefox\firefox.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	EE8919FF7B5F2A89B6C1984A6A3B7FBC	CAFB42ED9189FF950DA2B14D7AB3AEAB229D8165	5074A2F201D924BDF62F0A58BCA9CF0A5536AF84B3B90BC6915A5CF36DFE019F
C:\Users\user\AppData\Roaming\firefox\firefox.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\qxn1gmbt.ift\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	A7FE10DA330AD03BF22DC9AC76BBB3E4	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
C:\Users\user\YmbIShslLTQZdUqXrfprIi	ASCII text, with very long lines, with no line terminators	638A164744A420D351EDFC7FB4D5BECF	592ABEBA7F05AC2A4660FA379DC718A4767CE54A	4FCBC326F07AC4088E14A46E85474D8069AA9BAE65A90B04DDC8EF29DF4A4025