Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report K0bg9rZl2L

Overview

General Information

Sample Name:K0bg9rZl2L (renamed file extension from none to exe)
Analysis ID:452750
MD5:699e56ea4da0b0865fc33308a8b09df9
SHA1:c32dff686616f747f808a5c0bc67484d4755f568
SHA256:e5805ba9f9119986eb49be00972cb30d5249f8c19c872c4daacb2ad67a157bb5
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • K0bg9rZl2L.exe (PID: 6860 cmdline: 'C:\Users\user\Desktop\K0bg9rZl2L.exe' MD5: 699E56EA4DA0B0865FC33308A8B09DF9)
    • powershell.exe (PID: 7060 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • K0bg9rZl2L.exe (PID: 1316 cmdline: C:\Users\user\Desktop\K0bg9rZl2L.exe MD5: 699E56EA4DA0B0865FC33308A8B09DF9)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "bookings@simpleitalian.com.au", "Password": "SIpassword101$", "Host": "mail.simpleitalian.com.au"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.K0bg9rZl2L.exe.5a70000.6.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              0.2.K0bg9rZl2L.exe.3b01478.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.K0bg9rZl2L.exe.3b01478.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  0.2.K0bg9rZl2L.exe.3ae1458.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.K0bg9rZl2L.exe.3ae1458.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\K0bg9rZl2L.exe' , ParentImage: C:\Users\user\Desktop\K0bg9rZl2L.exe, ParentProcessId: 6860, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force, ProcessId: 7060
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\K0bg9rZl2L.exe' , ParentImage: C:\Users\user\Desktop\K0bg9rZl2L.exe, ParentProcessId: 6860, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force, ProcessId: 7060

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.K0bg9rZl2L.exe.3879510.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "bookings@simpleitalian.com.au", "Password": "SIpassword101$", "Host": "mail.simpleitalian.com.au"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: bakercost.gqVirustotal: Detection: 13%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: K0bg9rZl2L.exeVirustotal: Detection: 36%Perma Link
                      Source: K0bg9rZl2L.exeReversingLabs: Detection: 21%
                      Machine Learning detection for sampleShow sources
                      Source: K0bg9rZl2L.exeJoe Sandbox ML: detected
                      Source: 6.2.K0bg9rZl2L.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Exploits:

                      barindex
                      Yara detected UAC Bypass using CMSTPShow sources
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.5a70000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.433dbb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.5a70000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.433dbb8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.698060077.0000000005A70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: K0bg9rZl2L.exe PID: 6860, type: MEMORY
                      Source: unknownHTTPS traffic detected: 172.67.156.203:443 -> 192.168.2.4:49724 version: TLS 1.0
                      Source: K0bg9rZl2L.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: global trafficTCP traffic: 192.168.2.4:49757 -> 103.18.109.159:587
                      Source: Joe Sandbox ViewIP Address: 172.67.156.203 172.67.156.203
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: NET1-AS-APNetVirtuePtyLtdAU NET1-AS-APNetVirtuePtyLtdAU
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficTCP traffic: 192.168.2.4:49757 -> 103.18.109.159:587
                      Source: unknownHTTPS traffic detected: 172.67.156.203:443 -> 192.168.2.4:49724 version: TLS 1.0
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
                      Source: unknownDNS traffic detected: queries for: bakercost.gq
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoN
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915075065.0000000000C72000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915232144.0000000000DEC000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915075065.0000000000C72000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: K0bg9rZl2L.exe, 00000000.00000002.666708032.0000000000B57000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                      Source: K0bg9rZl2L.exe, 00000006.00000002.917276923.0000000002D29000.00000004.00000001.sdmpString found in binary or memory: http://mail.simpleitalian.com.au
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915075065.0000000000C72000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodt
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: K0bg9rZl2L.exe, 00000000.00000002.666708032.0000000000B57000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667259395.0000000002871000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: K0bg9rZl2L.exe, 00000006.00000002.917276923.0000000002D29000.00000004.00000001.sdmpString found in binary or memory: http://simpleitalian.com.au
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://tKqrxG.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667259395.0000000002871000.00000004.00000001.sdmpString found in binary or memory: https://bakercost.gq
                      Source: K0bg9rZl2L.exe, 00000000.00000003.649941087.0000000000B67000.00000004.00000001.sdmpString found in binary or memory: https://bakercost.gq/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667259395.0000000002871000.00000004.00000001.sdmpString found in binary or memory: https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DA64E
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: https://dash.cloudflare.com/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ded/script.js
                      Source: powershell.exe, 00000003.00000003.732891085.0000000005588000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
                      Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://quantcast.mgr.consensu.org
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
                      Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpString found in binary or memory: https://secure.widget.cloud.opta.net/v3/css/v3.core.opta-widgets.css
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.666708032.0000000000B57000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-user
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
                      Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/cookie-policy/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-user-jurgen-klopp-19941053
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
                      Source: K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
                      Source: K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: K0bg9rZl2L.exe, 00000006.00000002.917197533.0000000002CE5000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000006.00000002.917371104.0000000002D55000.00000004.00000001.sdmpString found in binary or memory: https://yBn4IuANygFMcOSp.com
                      Source: K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://yBn4IuANygFMcOSp.com0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724

                      System Summary:

                      barindex
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_027D0870
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_027DD890
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_0285C368
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_028501A2
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_0285E4B8
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_0285F510
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_0285AB90
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_0285D9A0
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_028509A8
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_028509B8
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F520F0
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F56CE8
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F537D6
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F5B130
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F592F0
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F57428
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F5E5D8
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F57528
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F9BA18
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_00F96990
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_027E46A0
                      Source: K0bg9rZl2L.exeBinary or memory string: OriginalFilename vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsApp1.exe8 vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameYVAU TjZ.exe2 vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000000.00000002.666138477.0000000000552000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameF67b9O9XfbiW6JN101b0575e.exeR vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000000.00000002.697157152.0000000004E50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000000.00000002.698716743.0000000006600000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exeBinary or memory string: OriginalFilename vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameYVAU TjZ.exe2 vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000000.665731094.00000000005A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameF67b9O9XfbiW6JN101b0575e.exeR vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915282847.0000000000EC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000002.914223785.0000000000938000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000002.914884009.0000000000BCA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915392610.0000000000F30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exeBinary or memory string: OriginalFilenameF67b9O9XfbiW6JN101b0575e.exeR vs K0bg9rZl2L.exe
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@6/8@3/3
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile created: C:\Users\user\Desktop\dedd659c48564f729136e943657b6aef.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile created: C:\Users\user\AppData\Local\Temp\14906059cf1d40cd99ff18e182ff171dJump to behavior
                      Source: K0bg9rZl2L.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: K0bg9rZl2L.exeVirustotal: Detection: 36%
                      Source: K0bg9rZl2L.exeReversingLabs: Detection: 21%
                      Source: unknownProcess created: C:\Users\user\Desktop\K0bg9rZl2L.exe 'C:\Users\user\Desktop\K0bg9rZl2L.exe'
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess created: C:\Users\user\Desktop\K0bg9rZl2L.exe C:\Users\user\Desktop\K0bg9rZl2L.exe
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess created: C:\Users\user\Desktop\K0bg9rZl2L.exe C:\Users\user\Desktop\K0bg9rZl2L.exe
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: K0bg9rZl2L.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: K0bg9rZl2L.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: K0bg9rZl2L.exeStatic PE information: 0xAF2CEA60 [Sat Feb 17 16:46:24 2063 UTC]
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_027D92C9 push FFFFFFE9h; retf
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_027DD0E5 push FFFFFF8Bh; iretd
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_027DD487 push dword ptr [esp+ecx*2-75h]; ret
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_02858195 push FFFFFF8Bh; retf
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_028581E9 push FFFFFF8Bh; retf
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_028559F8 push esp; retf
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_0278D95C push eax; ret
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 6_2_0278E332 push eax; ret
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.5a70000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.433dbb8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.698060077.0000000005A70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: K0bg9rZl2L.exe PID: 6860, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLUSER
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4367
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2711
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeWindow / User API: threadDelayed 1747
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeWindow / User API: threadDelayed 8063
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exe TID: 6880Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exe TID: 5984Thread sleep time: -25825441703193356s >= -30000s
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exe TID: 5728Thread sleep count: 1747 > 30
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exe TID: 5728Thread sleep count: 8063 > 30
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exe TID: 5984Thread sleep count: 36 > 30
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeThread delayed: delay time: 922337203685477
                      Source: powershell.exe, 00000003.00000003.732891085.0000000005588000.00000004.00000001.sdmpBinary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpBinary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
                      Source: powershell.exe, 00000003.00000003.732891085.0000000005588000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                      Source: K0bg9rZl2L.exe, 00000000.00000002.666708032.0000000000B57000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpBinary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
                      Source: K0bg9rZl2L.exe, 00000000.00000002.697157152.0000000004E50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpBinary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
                      Source: K0bg9rZl2L.exe, 00000000.00000002.697157152.0000000004E50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.697157152.0000000004E50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpBinary or memory string: VMwareVBox
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpBinary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915075065.0000000000C72000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: K0bg9rZl2L.exe, 00000000.00000002.697157152.0000000004E50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeCode function: 0_2_027D41E8 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeMemory written: C:\Users\user\Desktop\K0bg9rZl2L.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeProcess created: C:\Users\user\Desktop\K0bg9rZl2L.exe C:\Users\user\Desktop\K0bg9rZl2L.exe
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915673246.0000000001350000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915673246.0000000001350000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915673246.0000000001350000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: K0bg9rZl2L.exe, 00000006.00000002.915673246.0000000001350000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Users\user\Desktop\K0bg9rZl2L.exe VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Users\user\Desktop\K0bg9rZl2L.exe VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3b01478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3ae1458.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.K0bg9rZl2L.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3b01478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3879510.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3879510.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3b01478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3ae1458.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.K0bg9rZl2L.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3b01478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3879510.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3879510.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: K0bg9rZl2L.exe PID: 1316, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: K0bg9rZl2L.exe PID: 6860, type: MEMORY
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\K0bg9rZl2L.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: K0bg9rZl2L.exe PID: 1316, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3b01478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3ae1458.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.K0bg9rZl2L.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3b01478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3879510.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3879510.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3b01478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3ae1458.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.K0bg9rZl2L.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3b01478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3879510.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.K0bg9rZl2L.exe.3879510.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: K0bg9rZl2L.exe PID: 1316, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: K0bg9rZl2L.exe PID: 6860, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools11Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsTimestomp1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 452750 Sample: K0bg9rZl2L Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for domain / URL 2->30 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 7 other signatures 2->36 7 K0bg9rZl2L.exe 17 6 2->7         started        process3 dnsIp4 22 bakercost.gq 172.67.156.203, 443, 49724 CLOUDFLARENETUS United States 7->22 24 192.168.2.1 unknown unknown 7->24 20 C:\Users\user\AppData\...\K0bg9rZl2L.exe.log, ASCII 7->20 dropped 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->38 40 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->40 42 Adds a directory exclusion to Windows Defender 7->42 44 Injects a PE file into a foreign processes 7->44 12 K0bg9rZl2L.exe 2 7->12         started        16 powershell.exe 23 7->16         started        file5 signatures6 process7 dnsIp8 26 simpleitalian.com.au 103.18.109.159, 49757, 587 NET1-AS-APNetVirtuePtyLtdAU Australia 12->26 28 mail.simpleitalian.com.au 12->28 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->46 48 Tries to steal Mail credentials (via file access) 12->48 50 Tries to harvest and steal ftp login credentials 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 18 conhost.exe 16->18         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      K0bg9rZl2L.exe37%VirustotalBrowse
                      K0bg9rZl2L.exe22%ReversingLabsWin32.Trojan.Wacatac
                      K0bg9rZl2L.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      6.2.K0bg9rZl2L.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      simpleitalian.com.au0%VirustotalBrowse
                      bakercost.gq13%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
                      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
                      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
                      https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
                      https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
                      https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
                      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
                      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
                      https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
                      http://simpleitalian.com.au0%Avira URL Cloudsafe
                      https://mab.data.tm-awx.com/rhs0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
                      https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
                      https://reachplc.hub.loginradius.com&quot;0%Avira URL Cloudsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
                      https://s2-prod.liverpool.com0%URL Reputationsafe
                      https://s2-prod.liverpool.com0%URL Reputationsafe
                      https://s2-prod.liverpool.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      simpleitalian.com.au
                      		103.18.109.159
                      		truetrueunknown
                      bakercost.gq
                      		172.67.156.203
                      		truetrueunknown
                      mail.simpleitalian.com.au
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpgK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://c.amazon-adsystem.com/aax2/apstag.jsK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                          		high
                          https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://reachplc.hub.loginradius.comK0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpfalse
                            		high
                            https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jpK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.liverpool.com/all-about/premier-leagueK0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpgK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.pngK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.liverpool.com/liverpool-fc-news/K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://simpleitalian.com.auK0bg9rZl2L.exe, 00000006.00000002.917276923.0000000002D29000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://mab.data.tm-awx.com/rhsK0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameK0bg9rZl2L.exe, 00000000.00000002.667259395.0000000002871000.00000004.00000001.sdmpfalse
                              		high
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpgK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.jsK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                		high
                                https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.pngK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haK0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://go.micropowershell.exe, 00000003.00000003.732891085.0000000005588000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpgK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorstK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://reachplc.hub.loginradius.com&quot;K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.pngK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://s2-prod.liverpool.comK0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.comK0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://felix.data.tm-awx.com/felix.min.jsK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpgK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpgK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.liverpool.com/all-about/ozan-kabakK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://s2-prod.mirror.co.uk/K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.liverpool.com/all-about/champions-leagueK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.liverpool.com/all-about/curtis-userK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.liverpool.com/all-about/steven-gerrardK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://schema.org/NewsArticleK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                  		high
                                  https://www.liverpool.com/schedule/K0bg9rZl2L.exe, 00000000.00000002.667352895.00000000028A5000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://schema.org/BreadcrumbListK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                    		high
                                    https://securepubads.g.doubleclick.net/tag/js/gpt.jsK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                      		high
                                      http://ocsp.comodtK0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://bakercost.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DA64EK0bg9rZl2L.exe, 00000000.00000002.667259395.0000000002871000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://s2-prod.liverpool.com/K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://felix.data.tm-awx.com/ampconfig.json&quot;K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpgK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpgK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpgK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://yBn4IuANygFMcOSp.comK0bg9rZl2L.exe, 00000006.00000002.917197533.0000000002CE5000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000006.00000002.917371104.0000000002D55000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpgK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schema.org/ListItemK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                        		high
                                        https://www.liverpool.com/all-about/georginio-wijnaldumK0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://mab.data.tm-awx.com/rhs&quot;K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://felix.data.tm-awx.comK0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.comodoNK0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.liverpool.com/all-about/andrew-robertsonK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmp, K0bg9rZl2L.exe, 00000000.00000002.667413515.00000000028BF000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.org%GETMozilla/5.0K0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		low
                                        https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.K0bg9rZl2L.exe, 00000000.00000002.686267871.0000000003B41000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.liverpool.com/K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.liverpool.com/cookie-policy/K0bg9rZl2L.exe, 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.liverpool.com/all-about/transfersK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://DynDns.comDynDNSK0bg9rZl2L.exe, 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpgK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://sectigo.com/CPS0K0bg9rZl2L.exe, 00000006.00000002.915196775.0000000000DC0000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpgK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-K0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://reach-id.orbit.tm-awx.com/analytics.js.gzK0bg9rZl2L.exe, 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        172.67.156.203
                                        		bakercost.gqUnited States
                                        		13335CLOUDFLARENETUStrue
                                        103.18.109.159
                                        		simpleitalian.com.auAustralia
                                        		132680NET1-AS-APNetVirtuePtyLtdAUtrue

                                        Private

                                        IP
                                        192.168.2.1

                                        General Information

                                        Joe Sandbox Version:33.0.0 White Diamond
                                        Analysis ID:452750
                                        Start date:22.07.2021
                                        Start time:19:34:54
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 11m 18s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:K0bg9rZl2L (renamed file extension from none to exe)
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:18
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.expl.evad.winEXE@6/8@3/3
                                        EGA Information:Failed
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                        • TCP Packets have been reduced to 100
                                        • Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.211.6.115, 40.88.32.150, 20.82.210.154, 13.107.4.50, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211
                                        • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, Edge-Prod-FRA.env.au.au-msedge.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, ris.api.iris.microsoft.com, au.au-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        19:36:06API Interceptor721x Sleep call for process: K0bg9rZl2L.exe modified
                                        19:36:19API Interceptor32x Sleep call for process: powershell.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        172.67.156.203Swift-pdf.exeGet hashmaliciousBrowse
                                          aLLEK0YD2O.exeGet hashmaliciousBrowse
                                            triage_dropped_file.exeGet hashmaliciousBrowse
                                              MPU702734-pdf.exeGet hashmaliciousBrowse
                                                o8YvAfzUQl.exeGet hashmaliciousBrowse
                                                  6x6wq7Dy4t.exeGet hashmaliciousBrowse
                                                    ltemsreceipt975432907.exeGet hashmaliciousBrowse
                                                      bank.doc.exeGet hashmaliciousBrowse
                                                        ANNA-INVOICE-4725434.EXEGet hashmaliciousBrowse
                                                          Victoria-Invoice-62541323.exeGet hashmaliciousBrowse
                                                            Aurora-Invoice-9383736.exeGet hashmaliciousBrowse
                                                              8d9U6fF3H1.exeGet hashmaliciousBrowse
                                                                purchase order.docGet hashmaliciousBrowse
                                                                  Madison-Invoice-6220917.exeGet hashmaliciousBrowse
                                                                    OneDrive.exeGet hashmaliciousBrowse
                                                                      jGUR7OQF1a.exeGet hashmaliciousBrowse
                                                                        Product Emm 803030830019971 10082982820091989 109938377338393.exeGet hashmaliciousBrowse
                                                                          02_extracted.exeGet hashmaliciousBrowse
                                                                            01_extracted.exeGet hashmaliciousBrowse
                                                                              Company presentation and order specification_IMG.exeGet hashmaliciousBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                bakercost.gqSwift-pdf.exeGet hashmaliciousBrowse
                                                                                • 104.21.13.164
                                                                                aLLEK0YD2O.exeGet hashmaliciousBrowse
                                                                                • 104.21.13.164
                                                                                MPU702734-pdf.exeGet hashmaliciousBrowse
                                                                                • 104.21.13.164
                                                                                triage_dropped_file.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                DOC98374933JULY2021.exeGet hashmaliciousBrowse
                                                                                • 104.21.13.164
                                                                                MPU702734-pdf.exeGet hashmaliciousBrowse
                                                                                • 104.21.13.164
                                                                                o8YvAfzUQl.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                download.dat.exeGet hashmaliciousBrowse
                                                                                • 104.21.13.164
                                                                                WindowsFormsApp1.exeGet hashmaliciousBrowse
                                                                                • 104.21.13.164
                                                                                6x6wq7Dy4t.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                ltemsreceipt975432907.exeGet hashmaliciousBrowse
                                                                                • 104.21.13.164
                                                                                bank.doc.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                ANNA-INVOICE-4725434.EXEGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                Victoria-Invoice-62541323.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                Aurora-Invoice-9383736.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                8d9U6fF3H1.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                purchase order.docGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                3278_pdf.exeGet hashmaliciousBrowse
                                                                                • 104.21.13.164
                                                                                Madison-Invoice-6220917.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                Hazel-Invoice-9002745.exeGet hashmaliciousBrowse
                                                                                • 104.21.13.164

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                NET1-AS-APNetVirtuePtyLtdAUdroxoUY6SU.exeGet hashmaliciousBrowse
                                                                                • 103.18.109.164
                                                                                RfTQP.exeGet hashmaliciousBrowse
                                                                                • 103.18.109.186
                                                                                OUTSTANDING_INVOICE_Statement_077117.xlsmGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                OUTSTANDING_INVOICE_Statement_112488.xlsmGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                LYngoHo12f.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                v2HhnFmaVL.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                hNWv33c6vO.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                DT4fKHpvho.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                F2IEXKEaSG.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                SRH2EHlixv.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                XZAKMeSCAh.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                xA732naDJK.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                WrJsjSVmIW.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                Yr8ElL80Bg.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                xc6uov5QUt.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                R1Vw5x5Gk7.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                PVItZxbAhC.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                YKOVp6Rx9G.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                4lAXiCvogP.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                M4WD0oqJPr.dllGet hashmaliciousBrowse
                                                                                • 103.18.108.116
                                                                                CLOUDFLARENETUSIWky5C8Dhwcnso8.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                q6pnkIaviT.exeGet hashmaliciousBrowse
                                                                                • 162.159.135.233
                                                                                btweb_installer.exeGet hashmaliciousBrowse
                                                                                • 104.18.88.101
                                                                                s2rsXUiUn8.exeGet hashmaliciousBrowse
                                                                                • 162.159.134.233
                                                                                ZzWelCRhns.exeGet hashmaliciousBrowse
                                                                                • 172.67.130.27
                                                                                NqRG532O8h.dllGet hashmaliciousBrowse
                                                                                • 104.18.7.156
                                                                                85vLO1Rpcy.exeGet hashmaliciousBrowse
                                                                                • 104.21.86.209
                                                                                PAYMENT ADVICE.docGet hashmaliciousBrowse
                                                                                • 104.21.27.166
                                                                                PO20210722.xlsxGet hashmaliciousBrowse
                                                                                • 162.159.130.233
                                                                                New order 11244332.pdf.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                Z0hOr2pD7k.exeGet hashmaliciousBrowse
                                                                                • 1.1.1.1
                                                                                USD_SLIP.docxGet hashmaliciousBrowse
                                                                                • 104.21.19.245
                                                                                DHL JULY STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                                • 104.21.19.200
                                                                                qK3005mdZn.exeGet hashmaliciousBrowse
                                                                                • 172.67.168.51
                                                                                whesilox.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                Bank contract,PDF.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                Scan003000494 pdf.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                Swift-pdf.exeGet hashmaliciousBrowse
                                                                                • 104.21.13.164
                                                                                Order _ 08201450.docGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                aLLEK0YD2O.exeGet hashmaliciousBrowse
                                                                                • 104.21.13.164

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                54328bd36c14bd82ddaa0c04b25ed9adIWky5C8Dhwcnso8.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                ZzWelCRhns.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                New order 11244332.pdf.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                DHL JULY STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                whesilox.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                Bank contract,PDF.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                Scan003000494 pdf.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                Swift-pdf.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                aLLEK0YD2O.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                Specifications_Details_20337_FLQ.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                SgjcpodWpB.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                10303640_APMC-TRN-C0001-Stability_Calculation_Rev1.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                MPU702734-pdf.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                jRPSjUSf.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                ruoMVmVwPu.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                4QKHQR82Xt.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                GHK2s5apNB.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                kRGc0HgN5b.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                SecuriteInfo.com.BackDoor.SpyBotNET.25.28334.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203
                                                                                rrnIEffG4c.exeGet hashmaliciousBrowse
                                                                                • 172.67.156.203

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\K0bg9rZl2L.exe.log
                                                                                Process:C:\Users\user\Desktop\K0bg9rZl2L.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1308
                                                                                Entropy (8bit):5.35826085534976
                                                                                Encrypted:false
                                                                                SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhgLE4qXKIE4oKFKHKoZAE4Kzr7rE4jE4Ko84G1qE4j:MxHKXwYHKhQnogLHitHoxHhAHKzvrHjz
                                                                                MD5:48368BF02895E447540DFBA80D9D9743
                                                                                SHA1:D17396B97985D5D390DE4D9A08853F6D944EA3F2
                                                                                SHA-256:EC5D2E5B69722E9CF56FF4F1A0D47BE3B11D8B93AB3CF2CAE76E853F4EC794D7
                                                                                SHA-512:F3F4A96E9066B64A3750B18FABE5728E886DBDE0F29116BC6A438973A76AD5E1C6775A11E0C565C7643417EA70FDB68A5C1648008A45FE72249215BE8D87CBD2
                                                                                Malicious:true
                                                                                Reputation:low
                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKey
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):14734
                                                                                Entropy (8bit):4.996142136926143
                                                                                Encrypted:false
                                                                                SSDEEP:384:SEdVoGIpN6KQkj2Zkjh4iUxZvuiOOdBCNXp5nYoJib4J:SYV3IpNBQkj2Yh4iUxZvuiOOdBCNZlYO
                                                                                MD5:B7D3A4EB1F0AED131A6E0EDF1D3C0414
                                                                                SHA1:A72E0DDE5F3083632B7242D2407658BCA3E54F29
                                                                                SHA-256:8E0EB5898DDF86FE9FE0011DD7AC6711BB0639A8707053D831FB348F9658289B
                                                                                SHA-512:F9367BBEC9A44E5C08757576C56B9C8637D8A0A9D6220DE925255888E6A0A088C653E207E211A6796F6A7F469736D538EA5B9E094944316CF4E8189DDD3EED9D
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):22312
                                                                                Entropy (8bit):5.601566728872549
                                                                                Encrypted:false
                                                                                SSDEEP:384:6tCDTkkm1jt/V++SBKnCul6iD7Y9ghSJUeRu1BMrmrZSRV77nMZ7564I+Bg:nUjth4KCulj3hXe1aAnyA
                                                                                MD5:1D19BB2AA78F58C5D31B3C2A0DF05B6B
                                                                                SHA1:6D18B125CC4ECC1C523116E69DD5A872CBEB40A7
                                                                                SHA-256:C61E18E5034EB1018BE94B63F0E9DE35C8E204EC6712143900BC2189AEE42DF3
                                                                                SHA-512:6475B28B155A3929AA393956BBA51AA55C1EDA94BA7F6B632CFABEF2C0A0536A807E8F82E4345344D2F60BF56E4047D0F098FA735E13B76FC6D3140B275B0FBE
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: @...e.......................d.R.2.......1............@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                C:\Users\user\AppData\Local\Temp\14906059cf1d40cd99ff18e182ff171d
                                                                                Process:C:\Users\user\Desktop\K0bg9rZl2L.exe
                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):622385
                                                                                Entropy (8bit):2.8976563455834365
                                                                                Encrypted:false
                                                                                SSDEEP:6144:YaX4W8j4LrbLhdPAJmpYcgXPCy3poHVcaVxuY6rUi1F+niWgbnkpvbXyGhRlX3J5:XxdP+oHeD9+niWgbnkpj1j/oI
                                                                                MD5:451BDA3D085ED031392288F19B600079
                                                                                SHA1:58F509AA622F66953E62EE4AACC3C259D57BC573
                                                                                SHA-256:EDB98216DC2C2AB2D611928B00D25DC0929953BDF7AD11B91782FF56E1F80724
                                                                                SHA-512:80C2683AB5ED7205903ECFE0BE88156B5CC4D5B8928B2194B7D3B8F22D1CE285DA8254276C39BB50C5B8F68A71B7D7FC497326DB3C3982C861B4227857192A40
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: 77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 80 69 0 0 76 1 3 0 43 121 246 96 0 0 0 0 0 0 0 0 224 0 2 1 11 1 8 0 0 86 3 0 0 6 0 0 0 0 0 0 206 116 3 0 0 32 0 0 0 0 0 0 0 0 64 0 0 32 0 0 0 2 0 0 4 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 192 3 0 0 2 0 0 0 0 0 0 2 0 64 133 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 124 116 3 0 79 0 0 0 0 128 3 0 192 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 160 3 0 12 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 8 0 0 0 0 0 0 0 0 0 0 0 8 32 0 0 72 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 212 84 3 0 0 32 0 0 0 86 3 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 115 1
                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_liycv4ep.1cw.ps1
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview: 1
                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m33dr320.qvb.psm1
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview: 1
                                                                                C:\Users\user\Desktop\dedd659c48564f729136e943657b6aef.dll
                                                                                Process:C:\Users\user\Desktop\K0bg9rZl2L.exe
                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):861174
                                                                                Entropy (8bit):2.7605214644462466
                                                                                Encrypted:false
                                                                                SSDEEP:1536:QJ7ZOQz3Kve36nr7bqcbz6XZEn0/EniQ3xt9gO3VLkht2TgHIdD/YJRPRo6549Cb:Lnr/KEnoEnzmALqi/jEX
                                                                                MD5:3CE3D10BE646910FD966C60B3E48CA3A
                                                                                SHA1:D8B75E0B8F2F34D8471E3F0820410117ADAACBAD
                                                                                SHA-256:CC6BD43DA778D5C60B36F23E8890D67D29DFDBEE5744EB69A3AC845297455D39
                                                                                SHA-512:1F02B8C7BF07C5B3A6AC11DEE65048282CD0BBC2D951BC508B5BDC4DC9800D0D675982EE7029710D3E3DC5FBEFAFFDA79C98F6B4C1937F1FE5482F1DE373300D
                                                                                Malicious:false
                                                                                Preview: 77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 80 69 0 0 76 1 3 0 254 142 134 251 0 0 0 0 0 0 0 0 224 0 34 0 11 1 80 0 0 226 4 0 0 8 0 0 0 0 0 0 254 0 5 0 0 32 0 0 0 32 5 0 0 0 64 0 0 32 0 0 0 2 0 0 4 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 96 5 0 0 2 0 0 0 0 0 0 2 0 64 133 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 164 0 5 0 87 0 0 0 0 32 5 0 184 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 5 0 12 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 8 0 0 0 0 0 0 0 0 0 0 0 8 32 0 0 72 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 4 225 4 0 0 32 0 0 0 226 4 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 115 11
                                                                                C:\Users\user\Documents\20210722\PowerShell_transcript.642294.pSUMO4EI.20210722193552.txt
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):5785
                                                                                Entropy (8bit):5.400381717825487
                                                                                Encrypted:false
                                                                                SSDEEP:96:BZAjDN+qDo1ZFZkjDN+qDo1ZI6QCjZ+jDN+qDo1ZiHSSfZ8:D
                                                                                MD5:5A19C067EE90DB7CFB6448120504E8CA
                                                                                SHA1:EED5D09E359C1BB06403423AFCE289874DDAC61D
                                                                                SHA-256:586F429CB3926EC5AD029AEF8364122D6E301FCEFBF2EDCC45C0FF73F35982B7
                                                                                SHA-512:1EFF6F20DA4244CC2B46258F31EE6D69A207E1890875B4CF737E5C9754F083E1408CBB7C25B3FD4751AAF9163CD2195C0988C279F51EB2237BECF925623C4702
                                                                                Malicious:false
                                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20210722193610..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 642294 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\K0bg9rZl2L.exe -Force..Process ID: 7060..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210722193610..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\K0bg9rZl2L.exe -Force..**********************..Windows PowerShell transcript start..Start time: 20210722194035..Username: computer\user..RunAs User: computer\user.

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):5.368608644874725
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                File name:K0bg9rZl2L.exe
                                                                                File size:17920
                                                                                MD5:699e56ea4da0b0865fc33308a8b09df9
                                                                                SHA1:c32dff686616f747f808a5c0bc67484d4755f568
                                                                                SHA256:e5805ba9f9119986eb49be00972cb30d5249f8c19c872c4daacb2ad67a157bb5
                                                                                SHA512:84586f58c062eb957348ddb548d77b651e6878bddbf4b13f845d7c9021bc6221d4356c8bec8a2ab1b1e3a5a8f4b1ca2871c7c9c2657b1e6dd225f0c738dcb5f0
                                                                                SSDEEP:384:r/9hScRkXl+0Ii1QKYwaCZU6w2mtTAEhVLU6oLUJflQDrbP:rXScRkjl/mv6SNhVPoGfl+bP
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`.,..........."...0..:...........Y... ...`....@.. ....................................@................................

                                                                                File Icon

                                                                                Icon Hash:00828e8e8686b000

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x4059ae
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                Time Stamp:0xAF2CEA60 [Sat Feb 17 16:46:24 2063 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:v4.0.30319
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x59600x4b.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x6e8.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x39b40x3a00False0.489628232759data5.5440032904IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x60000x6e80x800False0.35595703125data4.6384165532IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x80000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_VERSION0x60a00x45cdataEnglishUnited States
                                                                                RT_MANIFEST0x64fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Version Infos

                                                                                DescriptionData
                                                                                LegalCopyrightAll Rights Reserved
                                                                                Assembly Version1.420.59.900
                                                                                InternalNameF67b9O9XfbiW6JN101b0575e.exe
                                                                                FileVersion1.420.59.900
                                                                                CompanyNameF67b9O9XfbiW6JN101b0575e Inc.
                                                                                LegalTrademarksF67b9O9XfbiW6JN101b0575e
                                                                                CommentsF67b9O9XfbiW6JN101b0575e
                                                                                ProductNameF67b9O9XfbiW6JN101b0575e
                                                                                ProductVersion1.420.59.900
                                                                                FileDescriptionF67b9O9XfbiW6JN101b0575e
                                                                                OriginalFilenameF67b9O9XfbiW6JN101b0575e.exe
                                                                                Translation0x0000 0x0514

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jul 22, 2021 19:35:44.456259966 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:44.497709990 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:44.497836113 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:44.566284895 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:44.607588053 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:44.618947983 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:44.618968964 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:44.619143963 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:44.628175974 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:44.670015097 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:44.670641899 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:44.772181988 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:44.813930988 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.128024101 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.128050089 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.128086090 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.128102064 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.128123999 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.128128052 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.128139019 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.128160000 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.128165960 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.128181934 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.128206015 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.128240108 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.128489017 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.128505945 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.128570080 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.128978968 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.128998995 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.129055977 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.417299032 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.417335033 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.417442083 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.417505026 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.417521000 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.417584896 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.418526888 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.418555975 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.418620110 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.419131041 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.419156075 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.419210911 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.420298100 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.420417070 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.420473099 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.420909882 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.420933962 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.421003103 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.421883106 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.421906948 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.422943115 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.422965050 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.422977924 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.423032045 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.423837900 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.423861980 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.423919916 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.425298929 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.425323963 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.425385952 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.425743103 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.425784111 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.425828934 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.426729918 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.426753998 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.426800966 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.427812099 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.427834988 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.427891970 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.428642035 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.428668022 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.428714037 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.429610968 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.429647923 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.429797888 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.430600882 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.430627108 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.430689096 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.431581020 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.431605101 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.431665897 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.432508945 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.432534933 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.432596922 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.435393095 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.435419083 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.435437918 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.435518980 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.460791111 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.460818052 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.460880041 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.461677074 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.461702108 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.461741924 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.463012934 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.463073969 CEST49724443192.168.2.4172.67.156.203
                                                                                Jul 22, 2021 19:35:45.463174105 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.463665009 CEST44349724172.67.156.203192.168.2.4
                                                                                Jul 22, 2021 19:35:45.463701010 CEST44349724172.67.156.203192.168.2.4

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jul 22, 2021 19:35:36.996709108 CEST5453153192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:35:37.049012899 CEST53545318.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:35:37.432821989 CEST4971453192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:35:37.491977930 CEST53497148.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:35:39.314412117 CEST5802853192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:35:39.366358995 CEST53580288.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:35:44.016952991 CEST5309753192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:35:44.067127943 CEST53530978.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:35:44.346951008 CEST4925753192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:35:44.414767981 CEST53492578.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:35:56.442266941 CEST6238953192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:35:56.491703033 CEST53623898.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:35:58.950139999 CEST4991053192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:35:59.002969027 CEST53499108.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:00.705362082 CEST5585453192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:00.765619993 CEST53558548.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:02.054867029 CEST6454953192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:02.107306957 CEST53645498.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:03.411812067 CEST6315353192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:03.464126110 CEST53631538.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:04.670728922 CEST5299153192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:04.722624063 CEST53529918.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:05.769937038 CEST5370053192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:05.819192886 CEST53537008.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:06.926104069 CEST5172653192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:06.978106976 CEST53517268.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:08.100159883 CEST5679453192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:08.157392979 CEST53567948.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:08.581442118 CEST5653453192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:08.661840916 CEST53565348.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:09.156352997 CEST5662753192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:09.208589077 CEST53566278.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:10.140957117 CEST5662153192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:10.198046923 CEST53566218.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:11.506644011 CEST6311653192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:11.563555956 CEST53631168.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:12.316948891 CEST6407853192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:12.366051912 CEST53640788.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:13.488838911 CEST6480153192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:13.541227102 CEST53648018.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:14.329996109 CEST6172153192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:14.386944056 CEST53617218.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:28.109512091 CEST5125553192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:28.163070917 CEST53512558.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:32.969898939 CEST6152253192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:33.043867111 CEST53615228.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:33.724245071 CEST5233753192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:33.825844049 CEST53523378.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:34.476135969 CEST5504653192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:34.525712013 CEST53550468.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:34.720797062 CEST4961253192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:34.779649019 CEST53496128.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:35.112442970 CEST4928553192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:35.172491074 CEST53492858.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:36.123768091 CEST5060153192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:36.181065083 CEST53506018.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:37.627573013 CEST6087553192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:37.688059092 CEST53608758.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:38.496136904 CEST5644853192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:38.556143045 CEST53564488.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:39.502747059 CEST5917253192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:39.560017109 CEST53591728.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:40.748019934 CEST6242053192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:40.808666945 CEST53624208.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:41.281689882 CEST6057953192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:41.339926958 CEST53605798.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:36:46.578666925 CEST5018353192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:36:46.637926102 CEST53501838.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:37:21.248826027 CEST6153153192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:37:21.320678949 CEST53615318.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:37:24.413526058 CEST4922853192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:37:24.478499889 CEST53492288.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:37:38.028907061 CEST5979453192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:37:38.439606905 CEST53597948.8.8.8192.168.2.4
                                                                                Jul 22, 2021 19:37:38.887294054 CEST5591653192.168.2.48.8.8.8
                                                                                Jul 22, 2021 19:37:39.098787069 CEST53559168.8.8.8192.168.2.4

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Jul 22, 2021 19:35:44.346951008 CEST192.168.2.48.8.8.80x3df3Standard query (0)bakercost.gqA (IP address)IN (0x0001)
                                                                                Jul 22, 2021 19:37:38.028907061 CEST192.168.2.48.8.8.80xf8feStandard query (0)mail.simpleitalian.com.auA (IP address)IN (0x0001)
                                                                                Jul 22, 2021 19:37:38.887294054 CEST192.168.2.48.8.8.80xea12Standard query (0)mail.simpleitalian.com.auA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Jul 22, 2021 19:35:44.414767981 CEST8.8.8.8192.168.2.40x3df3No error (0)bakercost.gq172.67.156.203A (IP address)IN (0x0001)
                                                                                Jul 22, 2021 19:35:44.414767981 CEST8.8.8.8192.168.2.40x3df3No error (0)bakercost.gq104.21.13.164A (IP address)IN (0x0001)
                                                                                Jul 22, 2021 19:37:38.439606905 CEST8.8.8.8192.168.2.40xf8feNo error (0)mail.simpleitalian.com.ausimpleitalian.com.auCNAME (Canonical name)IN (0x0001)
                                                                                Jul 22, 2021 19:37:38.439606905 CEST8.8.8.8192.168.2.40xf8feNo error (0)simpleitalian.com.au103.18.109.159A (IP address)IN (0x0001)
                                                                                Jul 22, 2021 19:37:39.098787069 CEST8.8.8.8192.168.2.40xea12No error (0)mail.simpleitalian.com.ausimpleitalian.com.auCNAME (Canonical name)IN (0x0001)
                                                                                Jul 22, 2021 19:37:39.098787069 CEST8.8.8.8192.168.2.40xea12No error (0)simpleitalian.com.au103.18.109.159A (IP address)IN (0x0001)

                                                                                HTTPS Packets

                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                Jul 22, 2021 19:35:44.618968964 CEST172.67.156.203443192.168.2.449724CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jul 05 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Tue Jul 05 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                SMTP Packets

                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                Jul 22, 2021 19:37:40.488419056 CEST58749757103.18.109.159192.168.2.4220-r1.cpcloud.com.au ESMTP Exim 4.94.2 #2 Fri, 23 Jul 2021 03:37:40 +1000
                                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                                220 and/or bulk e-mail.
                                                                                Jul 22, 2021 19:37:40.489053965 CEST49757587192.168.2.4103.18.109.159EHLO 642294
                                                                                Jul 22, 2021 19:37:40.777964115 CEST58749757103.18.109.159192.168.2.4250-r1.cpcloud.com.au Hello 642294 [84.17.52.8]
                                                                                250-SIZE 52428800
                                                                                250-8BITMIME
                                                                                250-PIPELINING
                                                                                250-PIPE_CONNECT
                                                                                250-AUTH PLAIN LOGIN
                                                                                250-STARTTLS
                                                                                250 HELP
                                                                                Jul 22, 2021 19:37:40.778377056 CEST49757587192.168.2.4103.18.109.159STARTTLS
                                                                                Jul 22, 2021 19:37:41.068491936 CEST58749757103.18.109.159192.168.2.4220 TLS go ahead

                                                                                Code Manipulations

                                                                                Statistics

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: K0bg9rZl2L.exe PID: 6860 Parent PID: 5912

                                                                                General

                                                                                Start time:19:35:43
                                                                                Start date:22/07/2021
                                                                                Path:C:\Users\user\Desktop\K0bg9rZl2L.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\K0bg9rZl2L.exe'
                                                                                Imagebase:0x550000
                                                                                File size:17920 bytes
                                                                                MD5 hash:699E56EA4DA0B0865FC33308A8B09DF9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.690324946.000000000422F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.698060077.0000000005A70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.698060077.0000000005A70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.681433338.0000000003878000.00000004.00000001.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                Analysis Process: powershell.exe PID: 7060 Parent PID: 6860

                                                                                General

                                                                                Start time:19:35:49
                                                                                Start date:22/07/2021
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\K0bg9rZl2L.exe' -Force
                                                                                Imagebase:0x1050000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:high

                                                                                Analysis Process: conhost.exe PID: 7100 Parent PID: 7060

                                                                                General

                                                                                Start time:19:35:50
                                                                                Start date:22/07/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff724c50000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: K0bg9rZl2L.exe PID: 1316 Parent PID: 6860

                                                                                General

                                                                                Start time:19:35:51
                                                                                Start date:22/07/2021
                                                                                Path:C:\Users\user\Desktop\K0bg9rZl2L.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\Desktop\K0bg9rZl2L.exe
                                                                                Imagebase:0x5a0000
                                                                                File size:17920 bytes
                                                                                MD5 hash:699E56EA4DA0B0865FC33308A8B09DF9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.916660808.00000000029C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.914072243.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >