Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report KHAWATMI CO.IMPORT & EXPORT_PDF.exe

Overview

General Information

Sample Name:KHAWATMI CO.IMPORT & EXPORT_PDF.exe
Analysis ID:385328
MD5:ee8919ff7b5f2a89b6c1984a6a3b7fbc
SHA1:cafb42ed9189ff950da2b14d7ab3aeab229d8165
SHA256:5074a2f201d924bdf62f0a58bca9cf0a5536af84b3b90bc6915a5cf36dfe019f
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Contains functionality to hide a thread from the debugger
Contains functionality to register a low level keyboard hook
Drops executable to a common third party application directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Allocates a big amount of memory (probably used for heap spraying)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • KHAWATMI CO.IMPORT & EXPORT_PDF.exe (PID: 7092 cmdline: 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe' MD5: EE8919FF7B5F2A89B6C1984A6A3B7FBC)
    • cmd.exe (PID: 244 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6348 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • WerFault.exe (PID: 5848 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 2116 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • firefox.exe (PID: 7036 cmdline: 'C:\Users\user\AppData\Roaming\firefox\firefox.exe' MD5: EE8919FF7B5F2A89B6C1984A6A3B7FBC)
    • cmd.exe (PID: 1584 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6188 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • firefox.exe (PID: 4244 cmdline: C:\Users\user\AppData\Roaming\firefox\firefox.exe MD5: EE8919FF7B5F2A89B6C1984A6A3B7FBC)
    • WerFault.exe (PID: 2860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7036 -s 1480 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • firefox.exe (PID: 1620 cmdline: 'C:\Users\user\AppData\Roaming\firefox\firefox.exe' MD5: EE8919FF7B5F2A89B6C1984A6A3B7FBC)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "ugooo@jumatsedekah.comB1]ir;)]vV*%mail.jumatsedekah.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.906435816.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000014.00000002.906456012.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000D.00000002.752549672.0000000003F25000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.firefox.exe.3f5b270.9.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                13.2.firefox.exe.3f25450.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  13.2.firefox.exe.3f5b270.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    13.2.firefox.exe.3f25450.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 6.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ugooo@jumatsedekah.comB1]ir;)]vV*%mail.jumatsedekah.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeReversingLabs: Detection: 12%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exeReversingLabs: Detection: 12%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exeJoe Sandbox ML: detected
                      Source: 6.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 20.2.firefox.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: unknownHTTPS traffic detected: 104.21.17.57:443 -> 192.168.2.4:49730 version: TLS 1.0
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdbI source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: o.pdb2 source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000016.00000003.759425165.0000000004FB2000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.743032911.0000000002ACF000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb" source: WerFault.exe, 00000016.00000003.759425165.0000000004FB2000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
                      Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb$ source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.742360122.0000000002AC3000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb7 source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
                      Source: Binary string: bcrypt.pdb" source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbhG source: WerFault.exe, 00000016.00000003.759369421.0000000004F90000.00000004.00000001.sdmp
                      Source: Binary string: ml.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 00000009.00000003.680034398.0000000005488000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759271967.0000000005153000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdbs source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000016.00000003.759425165.0000000004FB2000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: shcore.pdb] source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: schannel.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.744010464.0000000002AD5000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb> source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
                      Source: Binary string: System.Windows.Forms.pdb0 source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000009.00000003.680034398.0000000005488000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdbr source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdbQ source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbu source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: rtutils.pdbG source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbt source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: version.pdbC source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERF393.tmp.dmp.22.dr
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: firefox.PDB source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
                      Source: Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbe source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
                      Source: Binary string: WLDP.pdbc source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: schannel.pdbe source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbL source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: nsi.pdb5 source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.680571543.0000000005474000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759299892.0000000005141000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: iVisualBasic.pdb source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.663878392.0000000000BF8000.00000004.00000010.sdmp, firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdba source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.743032911.0000000002ACF000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERF393.tmp.dmp.22.dr
                      Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: secur32.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: version.pdb. source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WERF393.tmp.dmp.22.dr
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb[ source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbz< source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759271967.0000000005153000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WERF393.tmp.dmp.22.dr
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: KHAWATMI CO.IMPORT & EXPORT_PDF.PDB source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.663878392.0000000000BF8000.00000004.00000010.sdmp
                      Source: Binary string: ml.ni.pdb" source: WerFault.exe, 00000016.00000003.759271967.0000000005153000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: fwpuclnt.pdb[ source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: wintrust.pdb,< source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: winnsi.pdb] source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000016.00000003.759271967.0000000005153000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb6 source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.PDB source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.663878392.0000000000BF8000.00000004.00000010.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdbI source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
                      Source: Binary string: c.pdbis source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdby source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdbW source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb8 source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdbE source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: .pdb:h source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.663878392.0000000000BF8000.00000004.00000010.sdmp
                      Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb0 source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.742360122.0000000002AC3000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdba source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WERF393.tmp.dmp.22.dr
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: ml.pdb))" source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: urlmon.pdb&< source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: ore.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbH source: WERF393.tmp.dmp.22.dr
                      Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: secur32.pdbo source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: cldapi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb~ source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.744010464.0000000002AD5000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdbo source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdby source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.680571543.0000000005474000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759299892.0000000005141000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\firefox\firefox.PDB source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdbw source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: firefox.exeMemory has grown: Private usage: 5MB later: 28MB

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49771 -> 101.50.1.12:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49772 -> 101.50.1.12:587
                      Source: global trafficTCP traffic: 192.168.2.4:49771 -> 101.50.1.12:587
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7E01452C0469561541C13E621DA21CFA.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: bornforthis.mlConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 104.21.17.57 104.21.17.57
                      Source: Joe Sandbox ViewIP Address: 101.50.1.12 101.50.1.12
                      Source: Joe Sandbox ViewASN Name: BEON-AS-IDPTBeonIntermediaID BEON-AS-IDPTBeonIntermediaID
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficTCP traffic: 192.168.2.4:49771 -> 101.50.1.12:587
                      Source: unknownHTTPS traffic detected: 104.21.17.57:443 -> 192.168.2.4:49730 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7E01452C0469561541C13E621DA21CFA.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: bornforthis.mlConnection: Keep-Alive
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
                      Source: unknownDNS traffic detected: queries for: clientconfig.passport.net
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmp, firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://ZUOsUg.com
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664598431.0000000002DA1000.00000004.00000001.sdmpString found in binary or memory: http://bornforthis.ml
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exeString found in binary or memory: http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalgl
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000003.865790831.000000000157B000.00000004.00000001.sdmpString found in binary or memory: http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalgli
                      Source: firefox.exe, firefox.exe, 00000017.00000002.742548778.00000000005B2000.00000002.00020000.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exeString found in binary or memory: http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7E01
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664643567.0000000002DEA000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664643567.0000000002DEA000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664643567.0000000002DEA000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910913383.000000000343A000.00000004.00000001.sdmpString found in binary or memory: http://jumatsedekah.com
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910913383.000000000343A000.00000004.00000001.sdmpString found in binary or memory: http://mail.jumatsedekah.com
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664643567.0000000002DEA000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664598431.0000000002DA1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664643567.0000000002DEA000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910913383.000000000343A000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910949295.0000000003449000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910822738.00000000033EB000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmpString found in binary or memory: https://WmLbJDkaOPbXW.org
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664634640.0000000002DD5000.00000004.00000001.sdmpString found in binary or memory: https://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7E0
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664634640.0000000002DD5000.00000004.00000001.sdmpString found in binary or memory: https://bornforthis.ml46kX
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ded/script.js
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://quantcast.mgr.consensu.org
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-user
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-user-jurgen-klopp-19941053
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.906435816.0000000000402000.00000040.00000001.sdmp, firefox.exe, 0000000D.00000002.752549672.0000000003F25000.00000004.00000001.sdmp, firefox.exe, 00000014.00000002.906456012.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmp, firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Contains functionality to register a low level keyboard hookShow sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeCode function: 6_2_01320BD8 SetWindowsHookExW 0000000D,00000000,?,?
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeCode function: 0_2_0125B5C0 NtSetInformationThread,
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeCode function: 0_2_0125C298 NtSetInformationThread,
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 13_2_025EB160 NtSetInformationThread,
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 13_2_025EBE38 NtSetInformationThread,
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeCode function: 0_2_01253240
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeCode function: 0_2_01252A40
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeCode function: 0_2_01250AD8
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeCode function: 6_2_0132A3E0
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeCode function: 6_2_01321349
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 13_2_025E2678
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 13_2_025E2C90
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 20_2_026C46A0
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 20_2_026C45B0
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 20_2_026CD280
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 20_2_05D16508
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 20_2_05D17120
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 20_2_05D190D8
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 20_2_05D16850
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 2116
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664566237.0000000002D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666124062.0000000003E89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664573593.0000000002D70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.668566145.0000000005280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.674828496.0000000007220000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000000.642139729.0000000000A66000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebadenberg.exe4 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTvZX Vud.exe2 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.674746922.00000000070B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.674746922.00000000070B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.674548443.0000000006FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000005.00000002.660029475.00000000003B6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebadenberg.exe4 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exeBinary or memory string: OriginalFilename vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.906435816.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameTvZX Vud.exe2 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.913337240.00000000061F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.909245400.00000000014CA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000003.865790831.000000000157B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebadenberg.exe4 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.914133046.00000000065F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.907031413.00000000010F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exeBinary or memory string: OriginalFilenamebadenberg.exe4 vs KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/12@7/2
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile created: C:\Users\user\YmbIShslLTQZdUqXrfprIiJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7036
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7092
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6685.tmpJump to behavior
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exeReversingLabs: Detection: 12%
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile read: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe 'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe'
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 2116
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\firefox\firefox.exe 'C:\Users\user\AppData\Roaming\firefox\firefox.exe'
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess created: C:\Users\user\AppData\Roaming\firefox\firefox.exe C:\Users\user\AppData\Roaming\firefox\firefox.exe
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7036 -s 1480
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\firefox\firefox.exe 'C:\Users\user\AppData\Roaming\firefox\firefox.exe'
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess created: C:\Users\user\AppData\Roaming\firefox\firefox.exe C:\Users\user\AppData\Roaming\firefox\firefox.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdbI source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: o.pdb2 source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000016.00000003.759425165.0000000004FB2000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.743032911.0000000002ACF000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb" source: WerFault.exe, 00000016.00000003.759425165.0000000004FB2000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
                      Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb$ source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.742360122.0000000002AC3000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb7 source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
                      Source: Binary string: bcrypt.pdb" source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbhG source: WerFault.exe, 00000016.00000003.759369421.0000000004F90000.00000004.00000001.sdmp
                      Source: Binary string: ml.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: .ni.pdb source: WerFault.exe, 00000009.00000003.680034398.0000000005488000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759271967.0000000005153000.00000004.00000001.sdmp
                      Source: Binary string: clr.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdbs source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000016.00000003.759425165.0000000004FB2000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: shcore.pdb] source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: schannel.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.744010464.0000000002AD5000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb> source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
                      Source: Binary string: System.Windows.Forms.pdb0 source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 00000009.00000003.680034398.0000000005488000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdbr source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdbQ source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbu source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: rtutils.pdbG source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbt source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: version.pdbC source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERF393.tmp.dmp.22.dr
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: firefox.PDB source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
                      Source: Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbe source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
                      Source: Binary string: WLDP.pdbc source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: schannel.pdbe source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbL source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: nsi.pdb5 source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.680571543.0000000005474000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759299892.0000000005141000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: iVisualBasic.pdb source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.663878392.0000000000BF8000.00000004.00000010.sdmp, firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdba source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.743032911.0000000002ACF000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERF393.tmp.dmp.22.dr
                      Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: secur32.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: version.pdb. source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WERF393.tmp.dmp.22.dr
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb[ source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbz< source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759271967.0000000005153000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WERF393.tmp.dmp.22.dr
                      Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: KHAWATMI CO.IMPORT & EXPORT_PDF.PDB source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.663878392.0000000000BF8000.00000004.00000010.sdmp
                      Source: Binary string: ml.ni.pdb" source: WerFault.exe, 00000016.00000003.759271967.0000000005153000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: fwpuclnt.pdb[ source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: wintrust.pdb,< source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: winnsi.pdb] source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 00000016.00000003.759271967.0000000005153000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: firefox.exe, 0000000D.00000002.743484247.00000000008FE000.00000004.00000020.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb6 source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.PDB source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.663878392.0000000000BF8000.00000004.00000010.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdbI source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
                      Source: Binary string: c.pdbis source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdby source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdbW source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb8 source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdbE source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: .pdb:h source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.663878392.0000000000BF8000.00000004.00000010.sdmp
                      Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb0 source: WerFault.exe, 00000009.00000003.677157676.000000000547B000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.742360122.0000000002AC3000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdba source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
                      Source: Binary string: WLDP.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WERF393.tmp.dmp.22.dr
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: ml.pdb))" source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: onfiguration.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: urlmon.pdb&< source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: ore.ni.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: ore.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.680555966.0000000005470000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759441290.0000000005140000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbH source: WERF393.tmp.dmp.22.dr
                      Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: secur32.pdbo source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: cldapi.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb~ source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.680041866.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.759395741.0000000004FA1000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.744010464.0000000002AD5000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdbo source: WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdby source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.680571543.0000000005474000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759299892.0000000005141000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: C:\Users\user\AppData\Roaming\firefox\firefox.PDB source: firefox.exe, 0000000D.00000002.742868126.00000000006F9000.00000004.00000010.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000009.00000002.693171590.0000000005690000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp
                      Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.680226843.0000000005477000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 00000009.00000003.680062747.00000000054B7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.778604218.0000000005250000.00000004.00000001.sdmp, WERF393.tmp.dmp.22.dr
                      Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.759469362.0000000005146000.00000004.00000040.sdmp
                      Source: Binary string: dhcpcsvc.pdbw source: WerFault.exe, 00000009.00000003.680018100.0000000005483000.00000004.00000040.sdmp
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exeStatic PE information: 0xDCE3B2C8 [Sun Jun 8 11:26:00 2087 UTC]
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeCode function: 0_2_0125C169 push 7406FA69h; retf
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeCode function: 0_2_0125578C push E8FFFFFFh; retf
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeCode function: 0_2_0125C998 push es; iretd
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 13_2_025E25F0 pushfd ; retf
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 20_2_026CC4F3 push C30276C0h; ret
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 20_2_026CDB7E push ebp; retf

                      Persistence and Installation Behavior:

                      barindex
                      Drops executable to a common third party application directoryShow sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile written: C:\Users\user\AppData\Roaming\firefox\firefox.exeJump to behavior
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile created: C:\Users\user\AppData\Roaming\firefox\firefox.exeJump to dropped file
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxJump to behavior
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile opened: C:\Users\user\AppData\Roaming\firefox\firefox.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeWindow / User API: threadDelayed 1851
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeWindow / User API: threadDelayed 7991
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeWindow / User API: threadDelayed 2708
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeWindow / User API: threadDelayed 7138
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe TID: 6680Thread sleep time: -13835058055282155s >= -30000s
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe TID: 6400Thread sleep count: 1851 > 30
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe TID: 6400Thread sleep count: 7991 > 30
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe TID: 6916Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe TID: 4296Thread sleep count: 2708 > 30
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe TID: 4296Thread sleep count: 7138 > 30
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread delayed: delay time: 922337203685477
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.668566145.0000000005280000.00000002.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.913337240.00000000061F0000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.692691406.0000000005110000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.911257980.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.778133704.0000000005160000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: WerFault.exe, 00000009.00000002.692550967.0000000004EF8000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.776928113.0000000004AFB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.909453794.0000000001534000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllssorId
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.668566145.0000000005280000.00000002.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.913337240.00000000061F0000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.692691406.0000000005110000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.911257980.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.778133704.0000000005160000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: WerFault.exe, 00000016.00000002.777071737.0000000004B4A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW,
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.668566145.0000000005280000.00000002.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.913337240.00000000061F0000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.692691406.0000000005110000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.911257980.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.778133704.0000000005160000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: WerFault.exe, 00000009.00000002.692499246.0000000004E30000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW Filter-0000
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.668566145.0000000005280000.00000002.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.913337240.00000000061F0000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.692691406.0000000005110000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.911257980.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.778133704.0000000005160000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess information queried: ProcessInformation

                      Anti Debugging:

                      barindex
                      Contains functionality to hide a thread from the debuggerShow sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeCode function: 0_2_0125B5C0 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,0125C1B7,00000000,00000000
                      Hides threads from debuggersShow sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread information set: HideFromDebugger
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeMemory written: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeMemory written: C:\Users\user\AppData\Roaming\firefox\firefox.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeProcess created: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess created: C:\Users\user\AppData\Roaming\firefox\firefox.exe C:\Users\user\AppData\Roaming\firefox\firefox.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.909875853.0000000001AC0000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.908930147.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.909875853.0000000001AC0000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.908930147.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.909875853.0000000001AC0000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.908930147.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.909875853.0000000001AC0000.00000002.00000001.sdmp, firefox.exe, 00000014.00000002.908930147.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeQueries volume information: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe VolumeInformation
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeQueries volume information: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe VolumeInformation
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Users\user\AppData\Roaming\firefox\firefox.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Users\user\AppData\Roaming\firefox\firefox.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Users\user\AppData\Roaming\firefox\firefox.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 20_2_05D1223C GetUserNameW,
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000006.00000002.906435816.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.906456012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.752549672.0000000003F25000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.669235815.0000000005DE1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KHAWATMI CO.IMPORT & EXPORT_PDF.exe PID: 7092, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: firefox.exe PID: 4244, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KHAWATMI CO.IMPORT & EXPORT_PDF.exe PID: 1288, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: firefox.exe PID: 7036, type: MEMORY
                      Source: Yara matchFile source: 13.2.firefox.exe.3f5b270.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.firefox.exe.3f25450.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.firefox.exe.3f5b270.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.firefox.exe.3f25450.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.3f4a790.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.firefox.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.3f4a790.10.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: firefox.exe PID: 4244, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KHAWATMI CO.IMPORT & EXPORT_PDF.exe PID: 1288, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000006.00000002.906435816.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.906456012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.752549672.0000000003F25000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.669235815.0000000005DE1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KHAWATMI CO.IMPORT & EXPORT_PDF.exe PID: 7092, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: firefox.exe PID: 4244, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KHAWATMI CO.IMPORT & EXPORT_PDF.exe PID: 1288, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: firefox.exe PID: 7036, type: MEMORY
                      Source: Yara matchFile source: 13.2.firefox.exe.3f5b270.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.firefox.exe.3f25450.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.firefox.exe.3f5b270.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.firefox.exe.3f25450.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.3f4a790.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.firefox.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.3f4a790.10.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Extra Window Memory Injection1Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information1Input Capture21File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Software Packing1Credentials in Registry1System Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSQuery Registry1Distributed Component Object ModelInput Capture21Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptExtra Window Memory Injection1LSA SecretsSecurity Software Discovery431SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol13Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion251DCSyncVirtualization/Sandbox Evasion251Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385328 Sample: KHAWATMI CO.IMPORT & EXPORT... Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 49 clientconfig.passport.net 2->49 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 7 other signatures 2->67 8 KHAWATMI CO.IMPORT & EXPORT_PDF.exe 15 4 2->8         started        12 firefox.exe 3 2->12         started        14 firefox.exe 2->14         started        signatures3 process4 dnsIp5 51 bornforthis.ml 104.21.17.57, 443, 49729, 49730 CLOUDFLARENETUS United States 8->51 69 Hides threads from debuggers 8->69 71 Injects a PE file into a foreign processes 8->71 16 KHAWATMI CO.IMPORT & EXPORT_PDF.exe 2 9 8->16         started        21 cmd.exe 1 8->21         started        23 WerFault.exe 23 9 8->23         started        25 KHAWATMI CO.IMPORT & EXPORT_PDF.exe 8->25         started        73 Multi AV Scanner detection for dropped file 12->73 75 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->75 77 Machine Learning detection for dropped file 12->77 79 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->79 27 cmd.exe 1 12->27         started        29 firefox.exe 12->29         started        31 WerFault.exe 12->31         started        signatures6 process7 dnsIp8 45 jumatsedekah.com 101.50.1.12, 49771, 49772, 587 BEON-AS-IDPTBeonIntermediaID Indonesia 16->45 47 mail.jumatsedekah.com 16->47 41 C:\Users\user\AppData\Roaming\...\firefox.exe, PE32 16->41 dropped 43 C:\Users\user\...\firefox.exe:Zone.Identifier, ASCII 16->43 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->53 55 Tries to steal Mail credentials (via file access) 16->55 57 Tries to harvest and steal ftp login credentials 16->57 59 4 other signatures 16->59 33 conhost.exe 21->33         started        35 timeout.exe 1 21->35         started        37 conhost.exe 27->37         started        39 timeout.exe 1 27->39         started        file9 signatures10 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      KHAWATMI CO.IMPORT & EXPORT_PDF.exe12%ReversingLabsWin32.Trojan.Generic
                      KHAWATMI CO.IMPORT & EXPORT_PDF.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\firefox\firefox.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\firefox\firefox.exe12%ReversingLabsWin32.Trojan.Generic

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      6.2.KHAWATMI CO.IMPORT & EXPORT_PDF.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      20.2.firefox.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
                      http://ZUOsUg.com0%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
                      https://WmLbJDkaOPbXW.org0%Avira URL Cloudsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
                      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
                      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
                      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
                      http://mail.jumatsedekah.com0%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
                      https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
                      https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
                      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
                      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
                      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
                      http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7E010%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalgli0%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
                      https://reachplc.hub.loginradius.com&quot;0%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
                      https://s2-prod.liverpool.com0%URL Reputationsafe
                      https://s2-prod.liverpool.com0%URL Reputationsafe
                      https://s2-prod.liverpool.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      jumatsedekah.com
                      		101.50.1.12
                      		truetrue
                        		unknown
                        bornforthis.ml
                        		104.21.17.57
                        		truefalse
                          		unknown
                          clientconfig.passport.net
                          		unknown
                          		unknownfalse
                            		unknown
                            mail.jumatsedekah.com
                            		unknown
                            		unknowntrue
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpfalse
                                		high
                                http://127.0.0.1:HTTP/1.1KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmp, firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpfalse
                                  		high
                                  http://ZUOsUg.comfirefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpgKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://WmLbJDkaOPbXW.orgKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910913383.000000000343A000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910949295.0000000003449000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910822738.00000000033EB000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://c.amazon-adsystem.com/aax2/apstag.jsKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                    		high
                                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpfalse
                                      		high
                                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpfalse
                                          		high
                                          https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jpKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://mail.jumatsedekah.comKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910913383.000000000343A000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpfalse
                                            		high
                                            https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/all-about/premier-leagueKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpgKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.pngKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.liverpool.com/liverpool-fc-news/KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpfalse
                                              		high
                                              https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664598431.0000000002DA1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpfalse
                                                		high
                                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.906435816.0000000000402000.00000040.00000001.sdmp, firefox.exe, 0000000D.00000002.752549672.0000000003F25000.00000004.00000001.sdmp, firefox.exe, 00000014.00000002.906456012.0000000000402000.00000040.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpgKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.jsKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.pngKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7E01firefox.exe, firefox.exe, 00000017.00000002.742548778.00000000005B2000.00000002.00020000.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmp, firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalgliKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000006.00000003.865790831.000000000157B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpgKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorstKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://reachplc.hub.loginradius.com&quot;KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.pngKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://s2-prod.liverpool.comKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.comKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://felix.data.tm-awx.com/felix.min.jsKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpgKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpgKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/all-about/ozan-kabakKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://s2-prod.mirror.co.uk/KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/all-about/champions-leagueKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/all-about/curtis-userKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/all-about/steven-gerrardKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://bornforthis.mlKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664598431.0000000002DA1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://bornforthis.ml46kXKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664634640.0000000002DD5000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schema.org/NewsArticleKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://www.liverpool.com/schedule/KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schema.org/BreadcrumbListKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://securepubads.g.doubleclick.net/tag/js/gpt.jsKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://s2-prod.liverpool.com/KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://felix.data.tm-awx.com/ampconfig.json&quot;KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpgKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpgKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpgKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 00000009.00000003.675969101.00000000056D0000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.752818015.0000000005290000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpgKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schema.org/ListItemKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://www.liverpool.com/all-about/georginio-wijnaldumKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://mab.data.tm-awx.com/rhs&quot;KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://felix.data.tm-awx.comKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.liverpool.com/all-about/andrew-robertsonKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000002.664659982.0000000002DFF000.00000004.00000001.sdmp, KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://api.ipify.org%GETMozilla/5.0firefox.exe, 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		low
                                                              https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.liverpool.com/KHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.liverpool.com/all-about/transfersKHAWATMI CO.IMPORT & EXPORT_PDF.exe, 00000000.00000003.647039945.00000000040C2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              104.21.17.57
                                                              		bornforthis.mlUnited States
                                                              		13335CLOUDFLARENETUSfalse
                                                              101.50.1.12
                                                              		jumatsedekah.comIndonesia
                                                              		55688BEON-AS-IDPTBeonIntermediaIDtrue

                                                              General Information

                                                              Joe Sandbox Version:31.0.0 Emerald
                                                              Analysis ID:385328
                                                              Start date:12.04.2021
                                                              Start time:10:35:38
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 12m 14s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Sample file name:KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:28
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@21/12@7/2
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 2.4% (good quality ratio 1.7%)
                                                              • Quality average: 40.7%
                                                              • Quality standard deviation: 31.7%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                              • TCP Packets have been reduced to 100
                                                              • Excluded IPs from analysis (whitelisted): 52.255.188.83, 13.107.3.254, 13.107.246.254, 88.221.62.148, 92.123.150.225, 104.43.193.48, 20.82.210.154, 40.88.32.150, 52.155.217.156, 20.54.26.129, 2.20.142.210, 2.20.142.209, 92.122.213.247, 92.122.213.194, 13.64.90.137, 20.50.102.62
                                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, s-ring.msedge.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, msagfx.live.com-6.edgekey.net, skypedataprdcoleus15.cloudapp.net, authgfx.msa.akadns6.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, skypedataprdcoleus17.cloudapp.net, s-9999.s-msedge.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, t-ring.t-9999.t-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/385328/sample/KHAWATMI CO.IMPORT & EXPORT_PDF.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              10:36:41API Interceptor691x Sleep call for process: KHAWATMI CO.IMPORT & EXPORT_PDF.exe modified
                                                              10:36:45API Interceptor2x Sleep call for process: WerFault.exe modified
                                                              10:36:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run firefox C:\Users\user\AppData\Roaming\firefox\firefox.exe
                                                              10:37:00AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run firefox C:\Users\user\AppData\Roaming\firefox\firefox.exe
                                                              10:37:22API Interceptor454x Sleep call for process: firefox.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              104.21.17.57ieuHgdpuPo.exeGet hashmaliciousBrowse
                                                              • bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B86F8FF0FC5B4DFA84D548466676F331.html
                                                              Payment Slip.docGet hashmaliciousBrowse
                                                              • bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9B8523D461F26385D631D5F620BB8B2E.html
                                                              Cobro Juridico_0291662728_7023446_452487041454723_016698_5192136884256735776_2301761820735_pdf.exeGet hashmaliciousBrowse
                                                              • bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-563A37589B0D2B59C10374B2A5702724.html
                                                              BL2659618800638119374.xls.exeGet hashmaliciousBrowse
                                                              • bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-411168C7CB32589BC9FA46F44C581051.html
                                                              Re Confirm#U00ffthe invoice#U00ffthe payment slip.exeGet hashmaliciousBrowse
                                                              • bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A354FBFCCC9BAC28AE0C0FFC172C1EF9.html
                                                              GQ5JvPEI6c.exeGet hashmaliciousBrowse
                                                              • bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9B8523D461F26385D631D5F620BB8B2E.html
                                                              COMMERCIAL INVOICE N#U00c2#U00ba 0001792E21.exeGet hashmaliciousBrowse
                                                              • bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-217C604161C10233520053A33E0A764C.html
                                                              MINUSCA P01-21.exeGet hashmaliciousBrowse
                                                              • bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A39FCD8B5C8720A97DC432DDA40A393E.html
                                                              P195 NOVO Cinema#2021.exeGet hashmaliciousBrowse
                                                              • bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5573265BC294D44B8ECD9F019E83F237.html
                                                              101.50.1.12Rechnung_17_12_2019_1675666855.docGet hashmaliciousBrowse
                                                              • suryaprimaimplantama.com/cgi-sys/suspendedpage.cgi
                                                              057714260497313955.docGet hashmaliciousBrowse
                                                              • timurjayaindosteel.com/wp-content/suqzjgt3871/
                                                              057714260497313955.docGet hashmaliciousBrowse
                                                              • timurjayaindosteel.com/wp-content/suqzjgt3871/
                                                              057714260497313955.docGet hashmaliciousBrowse
                                                              • timurjayaindosteel.com/wp-content/suqzjgt3871/
                                                              http://meidiaz.com/wp-admin/BDPYRRhgvVlfutw/Get hashmaliciousBrowse
                                                              • meidiaz.com/favicon.ico
                                                              Archivo 23-09-2019 0543768.docGet hashmaliciousBrowse
                                                              • www.angelicaevelyn.com/wp-admin/cbo60/
                                                              Archivo 23-09-2019 0543768.docGet hashmaliciousBrowse
                                                              • www.angelicaevelyn.com/wp-admin/cbo60/
                                                              Archivo 23-09-2019 0543768.docGet hashmaliciousBrowse
                                                              • www.angelicaevelyn.com/wp-admin/cbo60/

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              bornforthis.mlieuHgdpuPo.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Cobro Juridico_0420198202_326828_4985792583130360_300690_8122300886764676459_5190713730838_pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.222.176
                                                              Payment Slip.docGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Cobro Juridico_0291662728_7023446_452487041454723_016698_5192136884256735776_2301761820735_pdf.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.222.176
                                                              BL2659618800638119374.xls.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Purchase order and quote confirmation.exeGet hashmaliciousBrowse
                                                              • 172.67.222.176
                                                              Re Confirm#U00ffthe invoice#U00ffthe payment slip.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              GQ5JvPEI6c.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              COMMERCIAL INVOICE N#U00c2#U00ba 0001792E21.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              9479_pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.222.176
                                                              MINUSCA P01-21.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              2EGv1FEjOU.exeGet hashmaliciousBrowse
                                                              • 172.67.222.176
                                                              P195 NOVO Cinema#2021.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              BEON-AS-IDPTBeonIntermediaIDPurchase order and quote confirmation.exeGet hashmaliciousBrowse
                                                              • 101.50.1.12
                                                              Re Confirm#U00ffthe invoice#U00ffthe payment slip.exeGet hashmaliciousBrowse
                                                              • 101.50.1.12
                                                              Purchase Order 2070121_SN-WS.exeGet hashmaliciousBrowse
                                                              • 103.27.206.196
                                                              H56P7iDwnJ.docGet hashmaliciousBrowse
                                                              • 101.50.1.27
                                                              Zahlung-06.11.20.exeGet hashmaliciousBrowse
                                                              • 101.50.0.165
                                                              H4A2-423-EM154-302.exeGet hashmaliciousBrowse
                                                              • 101.50.0.165
                                                              38MjVKiDYw.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              JdYMqpAYWK.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              HvGWrUUUJA.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              4MeH5JPMdX.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              Y4oCtZX5bU.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              TIZlukG7TU.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              oW6V7pEddm.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              7NHgdZOTOQ.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              DhjGjxZ5BR.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              n4fKspDAx5.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              TPlrBVNblb.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              fhopRwZv3g.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              Tfla4MM3Ow.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              JjAtGIggGa.docGet hashmaliciousBrowse
                                                              • 101.50.1.18
                                                              CLOUDFLARENETUSYNzE2QUkvaTK7kd.exeGet hashmaliciousBrowse
                                                              • 172.67.148.14
                                                              NdBLyH2h5d.exeGet hashmaliciousBrowse
                                                              • 23.227.38.74
                                                              s6G3ZtvHZg.exeGet hashmaliciousBrowse
                                                              • 172.67.130.43
                                                              4oItdZkNOZ.exeGet hashmaliciousBrowse
                                                              • 23.227.38.74
                                                              ieuHgdpuPo.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Cobro Juridico_0420198202_326828_4985792583130360_300690_8122300886764676459_5190713730838_pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.222.176
                                                              Payment Slip.docGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Cobro Juridico_0291662728_7023446_452487041454723_016698_5192136884256735776_2301761820735_pdf.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              INQUIRY 1820521 pdf.exeGet hashmaliciousBrowse
                                                              • 104.21.82.58
                                                              PaymentCopy.vbsGet hashmaliciousBrowse
                                                              • 172.67.222.131
                                                              PAYMENT COPY.exeGet hashmaliciousBrowse
                                                              • 104.21.28.135
                                                              PO NUMBER 3120386 3120393 SIGNED.exeGet hashmaliciousBrowse
                                                              • 1.2.3.4
                                                              Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.222.176
                                                              BL2659618800638119374.xls.exeGet hashmaliciousBrowse
                                                              • 172.67.222.176
                                                              Purchase order and quote confirmation.exeGet hashmaliciousBrowse
                                                              • 172.67.222.176
                                                              Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exeGet hashmaliciousBrowse
                                                              • 172.67.188.154
                                                              Re Confirm#U00ffthe invoice#U00ffthe payment slip.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              SOA.exeGet hashmaliciousBrowse
                                                              • 104.21.19.200
                                                              RFQ No A'4762GHTECHNICAL DETAILS.exeGet hashmaliciousBrowse
                                                              • 104.21.19.200
                                                              GQ5JvPEI6c.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              54328bd36c14bd82ddaa0c04b25ed9adieuHgdpuPo.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Cobro Juridico_0420198202_326828_4985792583130360_300690_8122300886764676459_5190713730838_pdf.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Cobro Juridico_0291662728_7023446_452487041454723_016698_5192136884256735776_2301761820735_pdf.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              BL2659618800638119374.xls.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Purchase order and quote confirmation.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Re Confirm#U00ffthe invoice#U00ffthe payment slip.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              SOA.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              RFQ No A'4762GHTECHNICAL DETAILS.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              GQ5JvPEI6c.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              JSTCG21040600210 xlxs.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              PAYMENT RECEIPT.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              COMMERCIAL INVOICE N#U00c2#U00ba 0001792E21.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              9479_pdf.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              fyi.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              MINUSCA P01-21.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              Invoice-ID-(87656532).vbsGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              2EGv1FEjOU.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57
                                                              P195 NOVO Cinema#2021.exeGet hashmaliciousBrowse
                                                              • 104.21.17.57

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_KHAWATMI CO.IMPO_5234892f60a6fc5cef568f6b8afb785bfdf6873_4cf11da3_169e8dc4\Report.wer
                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):6984
                                                              Entropy (8bit):3.7755590726038553
                                                              Encrypted:false
                                                              SSDEEP:96:rA3Va4EhDjCQiMlHHxpLUpXI/c/NZAXGng5FMTPSkvPkpXmTAMfnVXT5Ur9BUhTj:E3g4EhD9mC/u7szS274ItkN
                                                              MD5:614CD40560D2F1AE24C65C67F48DBCA8
                                                              SHA1:23BB50587EDA603FA58D4D00A06105731F062E30
                                                              SHA-256:AB798557AC1101A866AFDD9A3325D7719626E6CF9031A8D98DE7EF8370BBCA80
                                                              SHA-512:24795C9EE3F3ADEEC84A7111B6D3EE390A3CF152D524D9A8D4C6E691AEDEF453E35515974028F90BF5467D981BEF505FA8C3F872EA41C3C0EDE3E67BEEF77378
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.6.9.0.1.9.5.7.2.4.9.5.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.6.9.0.2.0.4.3.1.8.6.7.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.5.6.6.5.2.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.e.7.6.5.e.2.-.1.4.1.9.-.4.c.c.4.-.a.8.e.7.-.a.e.5.7.8.9.f.4.3.1.1.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.c.5.a.b.4.6.-.d.8.f.3.-.4.0.2.c.-.9.4.4.e.-.8.9.1.7.0.3.5.e.7.a.8.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.K.H.A.W.A.T.M.I. .C.O...I.M.P.O.R.T. .&. .E.X.P.O.R.T._.P.D.F...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.b.a.d.e.n.b.e.r.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.4.-.0.0.0.1.-.0.0.1.b.-.1.0.9.8.-.3.6.e.b.7.6.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.c.a.c.6.6.c.0.6.8.3.e.a.6.d.0.3.a.5.6.9.d.0.4.f.0.a.e.9.d.a.e.0.0.0.0.0.0.0.0.!.0.0.0.0.c.a.f.b.4.2.e.d.9.1.8.
                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_firefox.exe_da79bea013ab5e47f0eb56f8dd08072c163a39f_ba7a16af_0b6b26b8\Report.wer
                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):14710
                                                              Entropy (8bit):3.7611524426035783
                                                              Encrypted:false
                                                              SSDEEP:192:Q5bhz8mHBUZMXyaKsU832a0/u7siS274ItCD:Kbhz9BUZMXyaqa0/u7siX4ItCD
                                                              MD5:1DCAFC9E0A1FE42DFF449CE8036433EB
                                                              SHA1:74FA0A7E3FBE44C88E1B8376AF4F577D0632E884
                                                              SHA-256:92984F7316368AA1618E88A512016B4749FD2A02A1409F05CBB67079C437F5CE
                                                              SHA-512:BABE0A8EA0C80B17F3806A51CE166645225B65A62D4A3F14334A8FB975EC13C14FB17B8031E5F46C62116AC291A6BB5F79CAD302A28CDD59F89559B32D7E27F1
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.6.9.0.2.3.1.8.3.4.2.0.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.6.9.0.2.4.3.2.8.7.2.9.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.5.6.6.5.2.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.0.8.9.0.6.f.-.3.1.2.3.-.4.3.1.2.-.8.3.4.2.-.f.9.6.d.d.a.f.d.0.2.e.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.e.c.7.5.1.a.-.b.1.1.7.-.4.6.6.5.-.8.9.a.3.-.0.d.3.f.f.0.3.6.3.e.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.r.e.f.o.x...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.b.a.d.e.n.b.e.r.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.c.-.0.0.0.1.-.0.0.1.b.-.3.1.0.b.-.c.d.0.1.7.7.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.c.a.c.6.6.c.0.6.8.3.e.a.6.d.0.3.a.5.6.9.d.0.4.f.0.a.e.9.d.a.e.0.0.0.0.0.0.0.0.!.0.0.0.0.c.a.f.b.4.2.e.d.9.1.8.9.f.f.9.5.0.d.a.2.b.1.4.d.7.a.b.3.a.e.a.b.2.2.9.
                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER6685.tmp.dmp
                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                              File Type:Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Mon Apr 12 08:36:39 2021, 0x1205a4 type
                                                              Category:dropped
                                                              Size (bytes):52502
                                                              Entropy (8bit):2.928860451821771
                                                              Encrypted:false
                                                              SSDEEP:384:QG6Zw13fFEF3HEFpMJl39mxLq0EklSEr7F9JmtkBZcwJLU/XDDhQIi0t5iokMhT4:j3fFMHEh6/Cp07iYPmn3Ham2V2R1l
                                                              MD5:42C1FB9F4CE0CFC32A0904E50BE45919
                                                              SHA1:631ABCA1E2072F507A94CAF26B2DE5D548795CC2
                                                              SHA-256:C11EE84BC220CA30D1D5F92F45A3ABEA2ADDE4C60A102CBD24B4BDD2581FA6DF
                                                              SHA-512:CF6642E04A804D65E763C175E9F7CD9C2916404EA6B23F4CEBD7D2E8FC42A62FB1C54820BF41F135BA45E8928D60518450B0A30E44C451F7099B13F3BF47CB57
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview: MDMP....... .........t`...................U...........B......8,......GenuineIntelW...........T.............t`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BA4.tmp.WERInternalMetadata.xml
                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):8012
                                                              Entropy (8bit):3.705780916412254
                                                              Encrypted:false
                                                              SSDEEP:192:Rrl7r3GLNiWQ6FG6YrHSUJ6gmfZsS7+prR89bE6sfUSsm:RrlsNi56U6YLSUJ6gmf+SREZfB
                                                              MD5:A5701DF86BC066037EFF410775FA82CC
                                                              SHA1:773AD153C56598F356F53142F82F37A7CF773C14
                                                              SHA-256:FF3C076F66B7E86826B4316CC2B1C9934EBA89F7064D17CD6140A5ECE296D647
                                                              SHA-512:1283B852FA034D2B85A1BF9ADAAB35FF270072A95EBA1D5C323FC3CEC3B98F8E261D7A6A97C47EBA4D49F6087256C800C2C56027BA5EB1DE6D8A5761AF6A6153
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.9.2.<./.P.i.d.>.......
                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D5B.tmp.xml
                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):4866
                                                              Entropy (8bit):4.577787225272875
                                                              Encrypted:false
                                                              SSDEEP:48:cvIwSD8zs+JgtWI96UWSC8BC8fm8M4J6OxO5FFmNpyE+q8vYO59uxih7KuLjuCGd:uITf0RNSNlJDVKHuYLKCGd
                                                              MD5:5CC01E89734FCD6A59789232F26DD085
                                                              SHA1:2FD39A03BD06831D8875199BC355354AE3A370B5
                                                              SHA-256:8459CC6AD4B01E5A9F54E88984B1F573E5E337FABD6FEE00FE7F212BB81A3E71
                                                              SHA-512:04265D513925905CFB7A21C8377A036D5941C643917FE71C88FCFF1CC246D8B24596F33383BD5021DF6DDDB0DE3587F18FB27ED891B2F181EC593BF479623D31
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="942827" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERB61.tmp.WERInternalMetadata.xml
                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):8392
                                                              Entropy (8bit):3.6956968947587177
                                                              Encrypted:false
                                                              SSDEEP:192:Rrl7r3GLNi6h6J6YrSSUwAJ3legmfZ4SM+pr089bB8sfgrm:RrlsNiE6J6Y+SUwApsgmfSSxBPfB
                                                              MD5:6322E7ED1D213C45920D7EF413D46B08
                                                              SHA1:5DB9FDCB93CA913A60F313740C1D13377E8B4B89
                                                              SHA-256:27057CC602CFE2E8B14830984F861A8FD4FADDCAFAA8526C68920A7BD47F1F3A
                                                              SHA-512:C8B71DC3BDB2EBEBA1EDED93FB93FD4DB04B45C3571DC7FE503626F0D8013CA6C68B337F3F7D90FB4F25E02C64296D1F096856FD5E64C1E6B9A87C83F6F32DD1
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.3.6.<./.P.i.d.>.......
                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WEREED.tmp.xml
                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):4734
                                                              Entropy (8bit):4.448407869746287
                                                              Encrypted:false
                                                              SSDEEP:48:cvIwSD8zs+JgtWI96UWSC8BI8fm8M4JuFFUr+q8vZiuxih7XY+Gd:uITf0RNSN/JZrKIueY+Gd
                                                              MD5:3C6670A2C048F6160EE1C581AB152FBA
                                                              SHA1:BF045F69001F2919E62BD9C91C1093EEFA215CD5
                                                              SHA-256:6FA4F7424250E351D3C6C45ABC7441C355DB8954837F0544B7F45B0FF78AFA5E
                                                              SHA-512:89F28481E7A4011E3402C5DAD3E8318F0B2BCD4CAACB62D9CFB2FEB98BC03D3D73546E6662D051E8460057AF5C97A4EC710BD72F8CCC9B328B6C81A187B112C5
                                                              Malicious:false
                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="942827" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF393.tmp.dmp
                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                              File Type:Mini DuMP crash report, 14 streams, CheckSum 0x00000004, Mon Apr 12 08:37:15 2021, 0x1205a4 type
                                                              Category:dropped
                                                              Size (bytes):181663
                                                              Entropy (8bit):4.497569692502107
                                                              Encrypted:false
                                                              SSDEEP:3072:vXw0+fkjd+pEX+2oA9gIOgF5S0PUCgU3X80suf:vA0+flpeZ9RpDSOTjdf
                                                              MD5:FEDE48B84755D61284B8EDE7215D3605
                                                              SHA1:76537FFA44F8427A74B083A936764127F53E404C
                                                              SHA-256:58F7604C299301810A20DF92CCA1906237EF185FAC3F3CEFBEBB14DB60F82F79
                                                              SHA-512:CB0CD1C13C10B2E8A0D170240CA108C38DE8CFCBEE90E3316A43B07B26235E0F9482EF62521611EDA63521FA566F190AA8E1CBA57CD2A5C1AA524E94BDF25C20
                                                              Malicious:false
                                                              Preview: MDMP....... .........t`...................U...........B.......#......GenuineIntelW...........T.......|.....t`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                              C:\Users\user\AppData\Roaming\firefox\firefox.exe
                                                              Process:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):14336
                                                              Entropy (8bit):6.0556728102257456
                                                              Encrypted:false
                                                              SSDEEP:384:v8ecw1OYNBaxLK9/r5Fef9GX1l/9hXL0xDJ:v8k1ZNGA/rq1Gll/fbk
                                                              MD5:EE8919FF7B5F2A89B6C1984A6A3B7FBC
                                                              SHA1:CAFB42ED9189FF950DA2B14D7AB3AEAB229D8165
                                                              SHA-256:5074A2F201D924BDF62F0A58BCA9CF0A5536AF84B3B90BC6915A5CF36DFE019F
                                                              SHA-512:BAA09369C1BD1DD7B7FCDB533FCDEE63A76BD3645ADD3062C847D98A5967925AA3F236D483839658368FF6B803DA437B01B36E2F91C1976B6F50222477F2935D
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 12%
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.............~L... ...`....@.. ....................................@.................................0L..K....`............................................................................... ............... ..H............text....,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B................`L......H.......8'...$...........................................................*".(.....*R.(.......s....}....*".(-....*Vs....(....t.........*..r...p(/.....((0...r...p.(1....(4....*...0..9........s.....+........o....o.....r....,...o........o....o.....*....0...........(....o.....+.+........*.0...........s......%r...po.......r...p.+.........~.....r$..ps......s........o....r|..po........o......8j.....(............o........r...po........9...........o....o......+2..o....t...........o....
                                                              C:\Users\user\AppData\Roaming\firefox\firefox.exe:Zone.Identifier
                                                              Process:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):26
                                                              Entropy (8bit):3.95006375643621
                                                              Encrypted:false
                                                              SSDEEP:3:ggPYV:rPYV
                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                              Malicious:true
                                                              Preview: [ZoneTransfer]....ZoneId=0
                                                              C:\Users\user\AppData\Roaming\qxn1gmbt.ift\Chrome\Default\Cookies
                                                              Process:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                              Category:modified
                                                              Size (bytes):20480
                                                              Entropy (8bit):0.7006690334145785
                                                              Encrypted:false
                                                              SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                              MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                              SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                              SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                              SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                              Malicious:false
                                                              Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\YmbIShslLTQZdUqXrfprIi
                                                              Process:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):985004
                                                              Entropy (8bit):3.0971550355629005
                                                              Encrypted:false
                                                              SSDEEP:12288:dd/9nN0rL8kS531aY6WJ6BAKivn92tUX7Ithf0+0NoNO80dr5gbEsPtVkV/t2Rtd:IZckstJRWlj/N
                                                              MD5:638A164744A420D351EDFC7FB4D5BECF
                                                              SHA1:592ABEBA7F05AC2A4660FA379DC718A4767CE54A
                                                              SHA-256:4FCBC326F07AC4088E14A46E85474D8069AA9BAE65A90B04DDC8EF29DF4A4025
                                                              SHA-512:400CB6629FAAADCA51205A0BA09733E6620B00DC5FF19B0936B284E45F97DB7739D438EC148C3BD758FCE7096F3AAC0086AD3B49C13464ACF1F552F81B2AD5D7
                                                              Malicious:false
                                                              Preview: 77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 80 69 0 0 76 1 3 0 76 142 41 180 0 0 0 0 0 0 0 0 224 0 34 0 11 1 80 0 0 86 4 0 0 6 0 0 0 0 0 0 110 116 4 0 0 32 0 0 0 128 4 0 0 0 0 128 0 32 0 0 0 2 0 0 4 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 192 4 0 0 2 0 0 0 0 0 0 2 0 64 133 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 20 116 4 0 87 0 0 0 0 128 4 0 212 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 160 4 0 12 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 8 0 0 0 0 0 0 0 0 0 0 0 8 32 0 0 72 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 116 84 4 0 0 32 0 0 0 86 4 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 1

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):6.0556728102257456
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                              • Win32 Executable (generic) a (10002005/4) 49.97%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              • DOS Executable Generic (2002/1) 0.01%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                                                              File size:14336
                                                              MD5:ee8919ff7b5f2a89b6c1984a6a3b7fbc
                                                              SHA1:cafb42ed9189ff950da2b14d7ab3aeab229d8165
                                                              SHA256:5074a2f201d924bdf62f0a58bca9cf0a5536af84b3b90bc6915a5cf36dfe019f
                                                              SHA512:baa09369c1bd1dd7b7fcdb533fcdee63a76bd3645add3062c847d98a5967925aa3f236d483839658368ff6b803da437b01b36e2f91c1976b6f50222477f2935d
                                                              SSDEEP:384:v8ecw1OYNBaxLK9/r5Fef9GX1l/9hXL0xDJ:v8k1ZNGA/rq1Gll/fbk
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............~L... ...`....@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:00828e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x404c7e
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0xDCE3B2C8 [Sun Jun 8 11:26:00 2087 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x4c300x4b.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x5a8.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x2c840x2e00False0.633406929348data6.43603834757IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x60000x5a80x600False0.414713541667data4.05648932077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x80000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_VERSION0x60a00x31cdata
                                                              RT_MANIFEST0x63bc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Version Infos

                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyrightCopyright 2021
                                                              Assembly Version1.0.0.0
                                                              InternalNamebadenberg.exe
                                                              FileVersion1.0.0.0
                                                              CompanyName
                                                              LegalTrademarks
                                                              Comments
                                                              ProductNamebadenberg
                                                              ProductVersion1.0.0.0
                                                              FileDescriptionbadenberg
                                                              OriginalFilenamebadenberg.exe

                                                              Network Behavior

                                                              Snort IDS Alerts

                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                              04/12/21-10:38:14.351385TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49771587192.168.2.4101.50.1.12
                                                              04/12/21-10:38:19.462577TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49772587192.168.2.4101.50.1.12

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Apr 12, 2021 10:36:24.734184980 CEST4972980192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:24.775049925 CEST8049729104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:24.775151014 CEST4972980192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:24.775732994 CEST4972980192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:24.816567898 CEST8049729104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:24.826509953 CEST8049729104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:24.881618977 CEST4972980192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:24.951533079 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:24.992275000 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:24.992371082 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.022321939 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.063031912 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.066523075 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.066550970 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.066654921 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.076210022 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.116877079 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.117938995 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.162858009 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.188397884 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.229228020 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.431293964 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.431324959 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.431340933 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.431364059 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.431385040 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.431401968 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.431423903 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.431457996 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.431492090 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.431653023 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.431669950 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.431893110 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.432132959 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.432403088 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.714468002 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.714498043 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.714569092 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.714585066 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.714675903 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.714706898 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.715054989 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.715079069 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.715142012 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.716006041 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.716029882 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.716105938 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.716984987 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.717009068 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.717061043 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.717937946 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.717962027 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.718044996 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.718885899 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.718913078 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.718970060 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.719839096 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.719862938 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.719923019 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.720781088 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.720804930 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.720864058 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.721729994 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.721752882 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.721808910 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.722695112 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.722717047 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.722788095 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.723665953 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.723690987 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.723751068 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.724584103 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.724606991 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.724694967 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.725545883 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.725569010 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.725657940 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.726509094 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.726533890 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.726620913 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.727440119 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.727464914 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.727526903 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.728419065 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.728441000 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.728507996 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.729353905 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.729378939 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.729444981 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.755372047 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.755399942 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.755523920 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.755742073 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.755767107 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.755834103 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.756705046 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.756727934 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.756788015 CEST49730443192.168.2.4104.21.17.57
                                                              Apr 12, 2021 10:36:25.757668018 CEST44349730104.21.17.57192.168.2.4
                                                              Apr 12, 2021 10:36:25.757689953 CEST44349730104.21.17.57192.168.2.4

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Apr 12, 2021 10:36:15.368493080 CEST5912353192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:15.420043945 CEST53591238.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:15.502336025 CEST5453153192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:15.551043987 CEST53545318.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:15.736574888 CEST4971453192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:15.785828114 CEST53497148.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:17.762989998 CEST5802853192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:17.824132919 CEST53580288.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:18.060220003 CEST5309753192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:18.132759094 CEST53530978.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:24.595521927 CEST4925753192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:24.704716921 CEST53492578.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:24.839468956 CEST6238953192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:24.949664116 CEST53623898.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:44.433156013 CEST4991053192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:44.484657049 CEST53499108.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:45.441700935 CEST5585453192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:45.493307114 CEST53558548.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:45.699443102 CEST6454953192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:45.748070002 CEST53645498.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:45.769515038 CEST6315353192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:45.819277048 CEST53631538.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:46.572556019 CEST5299153192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:46.624209881 CEST53529918.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:47.477659941 CEST5370053192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:47.526659012 CEST53537008.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:48.236227036 CEST5172653192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:48.296797037 CEST53517268.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:55.257308960 CEST5679453192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:55.306844950 CEST53567948.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:36:56.211591959 CEST5653453192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:36:56.260273933 CEST53565348.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:07.171402931 CEST5662753192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:07.256845951 CEST53566278.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:07.976284027 CEST5662153192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:08.033453941 CEST53566218.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:08.304514885 CEST6311653192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:08.353195906 CEST53631168.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:08.725398064 CEST6407853192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:08.785293102 CEST53640788.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:09.267141104 CEST6480153192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:09.329715014 CEST53648018.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:09.371455908 CEST6172153192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:09.420099020 CEST53617218.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:09.845571041 CEST5125553192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:09.921303988 CEST53512558.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:10.019040108 CEST6152253192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:10.125303984 CEST53615228.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:10.269078016 CEST5233753192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:10.341667891 CEST53523378.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:10.731878996 CEST5504653192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:10.789208889 CEST53550468.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:11.338408947 CEST4961253192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:11.395610094 CEST53496128.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:12.579303980 CEST4928553192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:12.641366959 CEST53492858.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:13.211956024 CEST5060153192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:13.263619900 CEST53506018.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:14.018268108 CEST6087553192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:14.070393085 CEST53608758.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:14.212649107 CEST5644853192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:14.273655891 CEST53564488.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:14.710473061 CEST5917253192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:14.769642115 CEST53591728.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:14.927148104 CEST6242053192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:14.975810051 CEST53624208.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:18.704282045 CEST6057953192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:18.753561020 CEST53605798.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:24.844822884 CEST5018353192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:24.905587912 CEST53501838.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:25.472728968 CEST6153153192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:25.531574965 CEST53615318.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:41.866835117 CEST4922853192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:41.915566921 CEST53492288.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:42.665769100 CEST5979453192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:42.714673042 CEST53597948.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:43.929491997 CEST5591653192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:43.978703022 CEST53559168.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:44.818233967 CEST5275253192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:44.866893053 CEST53527528.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:37:45.713350058 CEST6054253192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:37:45.774478912 CEST53605428.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:38:00.288505077 CEST6068953192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:38:00.339976072 CEST53606898.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:38:02.324199915 CEST6420653192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:38:02.384255886 CEST53642068.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:38:08.868843079 CEST5090453192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:38:09.259047985 CEST53509048.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:38:09.272105932 CEST5752553192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:38:09.619596958 CEST53575258.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:38:16.059360981 CEST5381453192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:38:16.116512060 CEST53538148.8.8.8192.168.2.4
                                                              Apr 12, 2021 10:38:16.127177954 CEST5341853192.168.2.48.8.8.8
                                                              Apr 12, 2021 10:38:16.189141989 CEST53534188.8.8.8192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Apr 12, 2021 10:36:18.060220003 CEST192.168.2.48.8.8.80x4075Standard query (0)clientconfig.passport.netA (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:36:24.595521927 CEST192.168.2.48.8.8.80x13deStandard query (0)bornforthis.mlA (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:36:24.839468956 CEST192.168.2.48.8.8.80x4671Standard query (0)bornforthis.mlA (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:38:08.868843079 CEST192.168.2.48.8.8.80x63f0Standard query (0)mail.jumatsedekah.comA (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:38:09.272105932 CEST192.168.2.48.8.8.80x8092Standard query (0)mail.jumatsedekah.comA (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:38:16.059360981 CEST192.168.2.48.8.8.80x5d9aStandard query (0)mail.jumatsedekah.comA (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:38:16.127177954 CEST192.168.2.48.8.8.80x4ff4Standard query (0)mail.jumatsedekah.comA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Apr 12, 2021 10:36:18.132759094 CEST8.8.8.8192.168.2.40x4075No error (0)clientconfig.passport.netauthgfx.msa.akadns6.netCNAME (Canonical name)IN (0x0001)
                                                              Apr 12, 2021 10:36:24.704716921 CEST8.8.8.8192.168.2.40x13deNo error (0)bornforthis.ml104.21.17.57A (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:36:24.704716921 CEST8.8.8.8192.168.2.40x13deNo error (0)bornforthis.ml172.67.222.176A (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:36:24.949664116 CEST8.8.8.8192.168.2.40x4671No error (0)bornforthis.ml104.21.17.57A (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:36:24.949664116 CEST8.8.8.8192.168.2.40x4671No error (0)bornforthis.ml172.67.222.176A (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:38:09.259047985 CEST8.8.8.8192.168.2.40x63f0No error (0)mail.jumatsedekah.comjumatsedekah.comCNAME (Canonical name)IN (0x0001)
                                                              Apr 12, 2021 10:38:09.259047985 CEST8.8.8.8192.168.2.40x63f0No error (0)jumatsedekah.com101.50.1.12A (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:38:09.619596958 CEST8.8.8.8192.168.2.40x8092No error (0)mail.jumatsedekah.comjumatsedekah.comCNAME (Canonical name)IN (0x0001)
                                                              Apr 12, 2021 10:38:09.619596958 CEST8.8.8.8192.168.2.40x8092No error (0)jumatsedekah.com101.50.1.12A (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:38:16.116512060 CEST8.8.8.8192.168.2.40x5d9aNo error (0)mail.jumatsedekah.comjumatsedekah.comCNAME (Canonical name)IN (0x0001)
                                                              Apr 12, 2021 10:38:16.116512060 CEST8.8.8.8192.168.2.40x5d9aNo error (0)jumatsedekah.com101.50.1.12A (IP address)IN (0x0001)
                                                              Apr 12, 2021 10:38:16.189141989 CEST8.8.8.8192.168.2.40x4ff4No error (0)mail.jumatsedekah.comjumatsedekah.comCNAME (Canonical name)IN (0x0001)
                                                              Apr 12, 2021 10:38:16.189141989 CEST8.8.8.8192.168.2.40x4ff4No error (0)jumatsedekah.com101.50.1.12A (IP address)IN (0x0001)

                                                              HTTP Request Dependency Graph

                                                              • bornforthis.ml

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              0192.168.2.449729104.21.17.5780C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Apr 12, 2021 10:36:24.775732994 CEST2179OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7E01452C0469561541C13E621DA21CFA.html HTTP/1.1
                                                              UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                              Host: bornforthis.ml
                                                              Connection: Keep-Alive
                                                              Apr 12, 2021 10:36:24.826509953 CEST2180INHTTP/1.1 301 Moved Permanently
                                                              Date: Mon, 12 Apr 2021 08:36:24 GMT
                                                              Transfer-Encoding: chunked
                                                              Connection: keep-alive
                                                              Cache-Control: max-age=3600
                                                              Expires: Mon, 12 Apr 2021 09:36:24 GMT
                                                              Location: https://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7E01452C0469561541C13E621DA21CFA.html
                                                              cf-request-id: 0966d29e6800004ecd67935000000001
                                                              Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=twxr%2BSI6rYQaVfzG8PKFpSlck5Txfcz5WjZYDlls6Lm4qQSq0paVQohF3KplvoTokxYbE9NH4tKxADfQL65fE5TAvZjXITH4o5zsMu1o0g%3D%3D"}],"max_age":604800}
                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 63eb20770ae24ecd-FRA
                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                              Data Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              HTTPS Packets

                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                              Apr 12, 2021 10:36:25.066550970 CEST104.21.17.57443192.168.2.449730CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESat Apr 03 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Sun Apr 03 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                              CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                              SMTP Packets

                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                              Apr 12, 2021 10:38:10.901546001 CEST58749771101.50.1.12192.168.2.4220-palapa2.lazeon.com ESMTP Exim 4.94 #2 Mon, 12 Apr 2021 15:38:10 +0700
                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                              220 and/or bulk e-mail.
                                                              Apr 12, 2021 10:38:10.901946068 CEST49771587192.168.2.4101.50.1.12EHLO 141700
                                                              Apr 12, 2021 10:38:11.285253048 CEST58749771101.50.1.12192.168.2.4250-palapa2.lazeon.com Hello 141700 [84.17.52.3]
                                                              250-SIZE 52428800
                                                              250-8BITMIME
                                                              250-PIPELINING
                                                              250-X_PIPE_CONNECT
                                                              250-AUTH PLAIN LOGIN
                                                              250-STARTTLS
                                                              250 HELP
                                                              Apr 12, 2021 10:38:11.287487030 CEST49771587192.168.2.4101.50.1.12AUTH login dWdvb29AanVtYXRzZWRla2FoLmNvbQ==
                                                              Apr 12, 2021 10:38:11.670440912 CEST58749771101.50.1.12192.168.2.4334 UGFzc3dvcmQ6
                                                              Apr 12, 2021 10:38:12.275688887 CEST58749771101.50.1.12192.168.2.4235 Authentication succeeded
                                                              Apr 12, 2021 10:38:12.276489973 CEST49771587192.168.2.4101.50.1.12MAIL FROM:<ugooo@jumatsedekah.com>
                                                              Apr 12, 2021 10:38:12.658912897 CEST58749771101.50.1.12192.168.2.4250 OK
                                                              Apr 12, 2021 10:38:13.574592113 CEST49771587192.168.2.4101.50.1.12RCPT TO:<ugooo@jumatsedekah.com>
                                                              Apr 12, 2021 10:38:13.966079950 CEST58749771101.50.1.12192.168.2.4250 Accepted
                                                              Apr 12, 2021 10:38:13.966687918 CEST49771587192.168.2.4101.50.1.12DATA
                                                              Apr 12, 2021 10:38:14.349075079 CEST58749771101.50.1.12192.168.2.4354 Enter message, ending with "." on a line by itself
                                                              Apr 12, 2021 10:38:14.351974010 CEST49771587192.168.2.4101.50.1.12.
                                                              Apr 12, 2021 10:38:14.773734093 CEST58749771101.50.1.12192.168.2.4250 OK id=1lVs5G-00CQJ0-5N
                                                              Apr 12, 2021 10:38:15.636245966 CEST49771587192.168.2.4101.50.1.12QUIT
                                                              Apr 12, 2021 10:38:16.019965887 CEST58749771101.50.1.12192.168.2.4221 palapa2.lazeon.com closing connection
                                                              Apr 12, 2021 10:38:17.146130085 CEST58749772101.50.1.12192.168.2.4220-palapa2.lazeon.com ESMTP Exim 4.94 #2 Mon, 12 Apr 2021 15:38:16 +0700
                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                              220 and/or bulk e-mail.
                                                              Apr 12, 2021 10:38:17.146523952 CEST49772587192.168.2.4101.50.1.12EHLO 141700
                                                              Apr 12, 2021 10:38:17.529516935 CEST58749772101.50.1.12192.168.2.4250-palapa2.lazeon.com Hello 141700 [84.17.52.3]
                                                              250-SIZE 52428800
                                                              250-8BITMIME
                                                              250-PIPELINING
                                                              250-X_PIPE_CONNECT
                                                              250-AUTH PLAIN LOGIN
                                                              250-STARTTLS
                                                              250 HELP
                                                              Apr 12, 2021 10:38:17.529968023 CEST49772587192.168.2.4101.50.1.12AUTH login dWdvb29AanVtYXRzZWRla2FoLmNvbQ==
                                                              Apr 12, 2021 10:38:17.912556887 CEST58749772101.50.1.12192.168.2.4334 UGFzc3dvcmQ6
                                                              Apr 12, 2021 10:38:18.304012060 CEST58749772101.50.1.12192.168.2.4235 Authentication succeeded
                                                              Apr 12, 2021 10:38:18.304624081 CEST49772587192.168.2.4101.50.1.12MAIL FROM:<ugooo@jumatsedekah.com>
                                                              Apr 12, 2021 10:38:18.687441111 CEST58749772101.50.1.12192.168.2.4250 OK
                                                              Apr 12, 2021 10:38:18.688136101 CEST49772587192.168.2.4101.50.1.12RCPT TO:<ugooo@jumatsedekah.com>
                                                              Apr 12, 2021 10:38:19.077743053 CEST58749772101.50.1.12192.168.2.4250 Accepted
                                                              Apr 12, 2021 10:38:19.077977896 CEST49772587192.168.2.4101.50.1.12DATA
                                                              Apr 12, 2021 10:38:19.460474014 CEST58749772101.50.1.12192.168.2.4354 Enter message, ending with "." on a line by itself
                                                              Apr 12, 2021 10:38:19.464118958 CEST49772587192.168.2.4101.50.1.12.
                                                              Apr 12, 2021 10:38:19.890129089 CEST58749772101.50.1.12192.168.2.4250 OK id=1lVs5L-00CQKy-91

                                                              Code Manipulations

                                                              Statistics

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              Analysis Process: KHAWATMI CO.IMPORT & EXPORT_PDF.exe PID: 7092 Parent PID: 5996

                                                              General

                                                              Start time:10:36:22
                                                              Start date:12/04/2021
                                                              Path:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe'
                                                              Imagebase:0xa60000
                                                              File size:14336 bytes
                                                              MD5 hash:EE8919FF7B5F2A89B6C1984A6A3B7FBC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.666349714.0000000003F22000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.669235815.0000000005DE1000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Analysis Process: cmd.exe PID: 244 Parent PID: 7092

                                                              General

                                                              Start time:10:36:28
                                                              Start date:12/04/2021
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                              Imagebase:0x11d0000
                                                              File size:232960 bytes
                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: conhost.exe PID: 6076 Parent PID: 244

                                                              General

                                                              Start time:10:36:28
                                                              Start date:12/04/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff724c50000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: timeout.exe PID: 6348 Parent PID: 244

                                                              General

                                                              Start time:10:36:28
                                                              Start date:12/04/2021
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout 1
                                                              Imagebase:0xbc0000
                                                              File size:26112 bytes
                                                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: KHAWATMI CO.IMPORT & EXPORT_PDF.exe PID: 3280 Parent PID: 7092

                                                              General

                                                              Start time:10:36:31
                                                              Start date:12/04/2021
                                                              Path:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                                                              Imagebase:0x3b0000
                                                              File size:14336 bytes
                                                              MD5 hash:EE8919FF7B5F2A89B6C1984A6A3B7FBC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low

                                                              Analysis Process: KHAWATMI CO.IMPORT & EXPORT_PDF.exe PID: 1288 Parent PID: 7092

                                                              General

                                                              Start time:10:36:31
                                                              Start date:12/04/2021
                                                              Path:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\Desktop\KHAWATMI CO.IMPORT & EXPORT_PDF.exe
                                                              Imagebase:0xcf0000
                                                              File size:14336 bytes
                                                              MD5 hash:EE8919FF7B5F2A89B6C1984A6A3B7FBC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.906435816.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.910151654.00000000030D1000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Analysis Process: WerFault.exe PID: 5848 Parent PID: 7092

                                                              General

                                                              Start time:10:36:33
                                                              Start date:12/04/2021
                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 2116
                                                              Imagebase:0x10000
                                                              File size:434592 bytes
                                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Analysis Process: firefox.exe PID: 7036 Parent PID: 3424

                                                              General

                                                              Start time:10:37:00
                                                              Start date:12/04/2021
                                                              Path:C:\Users\user\AppData\Roaming\firefox\firefox.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\AppData\Roaming\firefox\firefox.exe'
                                                              Imagebase:0x270000
                                                              File size:14336 bytes
                                                              MD5 hash:EE8919FF7B5F2A89B6C1984A6A3B7FBC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.752549672.0000000003F25000.00000004.00000001.sdmp, Author: Joe Security
                                                              Antivirus matches:
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 12%, ReversingLabs
                                                              Reputation:low

                                                              Analysis Process: cmd.exe PID: 1584 Parent PID: 7036

                                                              General

                                                              Start time:10:37:03
                                                              Start date:12/04/2021
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                              Imagebase:0x11d0000
                                                              File size:232960 bytes
                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: conhost.exe PID: 6264 Parent PID: 1584

                                                              General

                                                              Start time:10:37:03
                                                              Start date:12/04/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff724c50000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: timeout.exe PID: 6188 Parent PID: 1584

                                                              General

                                                              Start time:10:37:04
                                                              Start date:12/04/2021
                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:timeout 1
                                                              Imagebase:0xbc0000
                                                              File size:26112 bytes
                                                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: firefox.exe PID: 4244 Parent PID: 7036

                                                              General

                                                              Start time:10:37:07
                                                              Start date:12/04/2021
                                                              Path:C:\Users\user\AppData\Roaming\firefox\firefox.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\AppData\Roaming\firefox\firefox.exe
                                                              Imagebase:0x4e0000
                                                              File size:14336 bytes
                                                              MD5 hash:EE8919FF7B5F2A89B6C1984A6A3B7FBC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.906456012.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.909476623.0000000002881000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Analysis Process: WerFault.exe PID: 2860 Parent PID: 7036

                                                              General

                                                              Start time:10:37:08
                                                              Start date:12/04/2021
                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7036 -s 1480
                                                              Imagebase:0x10000
                                                              File size:434592 bytes
                                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Analysis Process: firefox.exe PID: 1620 Parent PID: 3424

                                                              General

                                                              Start time:10:37:08
                                                              Start date:12/04/2021
                                                              Path:C:\Users\user\AppData\Roaming\firefox\firefox.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\AppData\Roaming\firefox\firefox.exe'
                                                              Imagebase:0x7ff6ffe50000
                                                              File size:14336 bytes
                                                              MD5 hash:EE8919FF7B5F2A89B6C1984A6A3B7FBC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:low

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >