Loading ...

Play interactive tourEdit tour

Windows Analysis Report K0bg9rZl2L

Overview

General Information

Sample Name:K0bg9rZl2L (renamed file extension from none to exe)
Analysis ID:452750
MD5:699e56ea4da0b0865fc33308a8b09df9
SHA1:c32dff686616f747f808a5c0bc67484d4755f568
SHA256:e5805ba9f9119986eb49be00972cb30d5249f8c19c872c4daacb2ad67a157bb5
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • K0bg9rZl2L.exe (PID: 6860 cmdline: 'C:\Users\user\Desktop\K0bg9rZl2L.exe' MD5: 699E56EA4DA0B0865FC33308A8B09DF9)
    • powershell.exe (PID: 7060 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • K0bg9rZl2L.exe (PID: 1316 cmdline: C:\Users\user\Desktop\K0bg9rZl2L.exe MD5: 699E56EA4DA0B0865FC33308A8B09DF9)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "bookings@simpleitalian.com.au", "Password": "SIpassword101$", "Host": "mail.simpleitalian.com.au"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.K0bg9rZl2L.exe.5a70000.6.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              0.2.K0bg9rZl2L.exe.3b01478.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.K0bg9rZl2L.exe.3b01478.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  0.2.K0bg9rZl2L.exe.3ae1458.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.K0bg9rZl2L.exe.3ae1458.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\K0bg9rZl2L.exe' , ParentImage: C:\Users\user\Desktop\K0bg9rZl2L.exe, ParentProcessId: 6860, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force, ProcessId: 7060
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\K0bg9rZl2L.exe' , ParentImage: C:\Users\user\Desktop\K0bg9rZl2L.exe, ParentProcessId: 6860, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force, ProcessId: 7060

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.K0bg9rZl2L.exe.3879510.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "bookings@simpleitalian.com.au", "Password": "SIpassword101$", "Host": "mail.simpleitalian.com.au"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: bakercost.gqVirustotal: Detection: 13%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: K0bg9rZl2L.exeVirustotal: Detection: 36%Perma Link
                      Source: K0bg9rZl2L.exeReversingLabs: Detection: 21%
                      Machine Learning detection for sampleShow sources
                      Source: K0bg9rZl2L.exeJoe Sandbox ML: detected
                      Source: 6.2.K0bg9rZl2L.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Exploits:

                      barindex
                      Yara detected UAC Bypass using CMSTPShow sources
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.5a70000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.433dbb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.5a70000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.433dbb8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.698060077.0000000005A70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: K0bg9rZl2L.exe PID: 6860, type: MEMORY
                      Source: unknownHTTPS traffic detected: 172.67.156.203:443 -> 192.168.2.4:49724 version: TLS 1.0
                      Source: K0bg9rZl2L.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: global trafficTCP traffic: 192.168.2.4:49757 -> 103.18.109.159:587
                      Source: Joe Sandbox ViewIP Address: 172.67.156.203 172.67.156.203
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: NET1-AS-APNetVirtuePtyLtdAU NET1-AS-APNetVirtuePtyLtdAU
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficTCP traffic: 192.168.2.4:49757 -> 103.18.109.159:587
                      Source: unknownHTTPS traffic detected: 172.67.156.203:443 -> 192.168.2.4:49724 version: TLS 1.0
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
                      Source: unknownDNS traffic detected: queries for: bakercost.gq
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoN
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915075065.0000000000C72000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915232144.0000000000DEC000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915075065.0000000000C72000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: K0bg9rZl2L.exe, 00000000.00000002.666708032.0000000000B57000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                      Source: K0bg9rZl2L.exe, 00000006.00000002.917276923.0000000002D29000.00000004.00000001.sdmpString found in binary or memory: http://mail.simpleitalian.com.au
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915075065.0000000000C72000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodt
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: K0bg9rZl2L.exe, 00000000.00000002.666708032.0000000000B57000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667259395.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: K0bg9rZl2L.exe, 00000006.00000002.917276923.0000000002D29000.00000004.00000001.sdmpString found in binary or memory: http://simpleitalian.com.au
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://tKqrxG.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667259395.0000000002871000.00000004.00000001.sdmpString found in binary or memory: https://bakercost.gq
                      Source: K0bg9rZl2L.exe, 00000000.00000003.649941087.0000000000B67000.00000004.00000001.sdmpString found in binary or memory: https://bakercost.gq/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667259395.0000000002871000.00000004.00000001.sdmpString found in binary or memory: https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DA64E
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: https://dash.cloudflare.com/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ded/script.js
                      Source: powershell.exe, 00000003.00000003.732891085.0000000005588000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
                      Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://quantcast.mgr.consensu.org
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
                      Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpString found in binary or memory: https://secure.widget.cloud.opta.net/v3/css/v3.core.opta-widgets.css
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.666708032.0000000000B57000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-user
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
                      Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/cookie-policy/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-user-jurgen-klopp-19941053
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: K0bg9rZl2L.exe, 00000006.00000002.917197533.0000000002CE5000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000006.00000002.917371104.0000000002D55000.00000004.00000001.sdmpString found in binary or memory: https://yBn4IuANygFMcOSp.com
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://yBn4IuANygFMcOSp.com0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724

                      System Summary:

                      barindex
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_027D08700_2_027D0870
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_027DD8900_2_027DD890
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_0285C3680_2_0285C368
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_028501A20_2_028501A2
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_0285E4B80_2_0285E4B8
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_0285F5100_2_0285F510
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_0285AB900_2_0285AB90
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_0285D9A00_2_0285D9A0
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_028509A80_2_028509A8
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_028509B80_2_028509B8
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F520F06_2_00F520F0
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F56CE86_2_00F56CE8
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F537D66_2_00F537D6
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F5B1306_2_00F5B130
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F592F06_2_00F592F0
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F574286_2_00F57428
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F5E5D86_2_00F5E5D8
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F575286_2_00F57528
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F9BA186_2_00F9BA18
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F969906_2_00F96990
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_027E46A06_2_027E46A0
                      Source: K0bg9rZl2L.exeBinary or memory string: OriginalFilename vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsApp1.exe8 vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameYVAU TjZ.exe2 vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000000.00000002.666138477.0000000000552000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameF67b9O9XfbiW6JN101b0575e.exeR vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000000.00000002.697157152.0000000004E50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000000.00000002.698716743.0000000006600000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exeBinary or memory string: OriginalFilename vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameYVAU TjZ.exe2 vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000000.665731094.00000000005A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameF67b9O9XfbiW6JN101b0575e.exeR vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915282847.0000000000EC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000002.914223785.0000000000938000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000002.914884009.0000000000BCA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915392610.0000000000F30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exeBinary or memory string: OriginalFilenameF67b9O9XfbiW6JN101b0575e.exeR vs K0bg9rZl2L.exe
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@6/8@3/3
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile created: C:\Users\user\Desktop\dedd659c48564f729136e943657b6aef.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile created: C:\Users\user\AppData\Local\Temp\14906059cf1d40cd99ff18e182ff171dJump to behavior
                      Source: K0bg9rZl2L.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: K0bg9rZl2L.exeVirustotal: Detection: 36%
                      Source: K0bg9rZl2L.exeReversingLabs: Detection: 21%
                      Source: unknownProcess created: C:\Users\user\Desktop\K0bg9rZl2L.exe 'C:\Users\user\Desktop\K0bg9rZl2L.exe'
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess created: C:\Users\user\Desktop\K0bg9rZl2L.exe C:\Users\user\Desktop\K0bg9rZl2L.exe
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -ForceJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess created: C:\Users\user\Desktop\K0bg9rZl2L.exe C:\Users\user\Desktop\K0bg9rZl2L.exeJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: K0bg9rZl2L.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: K0bg9rZl2L.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: K0bg9rZl2L.exeStatic PE information: 0xAF2CEA60 [Sat Feb 17 16:46:24 2063 UTC]
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_027D92C9 push FFFFFFE9h; retf 0_2_027D92CB
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_027DD0E5 push FFFFFF8Bh; iretd 0_2_027DD0F6
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_027DD487 push dword ptr [esp+ecx*2-75h]; ret 0_2_027DD48B
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_02858195 push FFFFFF8Bh; retf 0_2_02858197
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_028581E9 push FFFFFF8Bh; retf 0_2_028581EB
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_028559F8 push esp; retf 0_2_028559F9
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_0278D95C push eax; ret 6_2_0278D95D
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_0278E332 push eax; ret 6_2_0278E349
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX