Loading ...

Play interactive tourEdit tour

Analysis Report New variant of covid 19.exe

Overview

General Information

Sample Name:New variant of covid 19.exe
Analysis ID:365752
MD5:a489513ca0de2472e0ad79830dd9ac44
SHA1:b767fe686e074f551773f208e1cb756d114e38c4
SHA256:df12835cd6bc77f9724900d2bf8f0403364ce6e8e81d389f8dc3b2eb8ca42961
Infos:

Most interesting Screenshot:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
System process connects to network (likely due to code injection or exploit)
Yara detected Quasar RAT
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
May check the online IP address of the machine
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to delay execution (extensive OutputDebugStringW loop)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • New variant of covid 19.exe (PID: 6372 cmdline: 'C:\Users\user\Desktop\New variant of covid 19.exe' MD5: A489513CA0DE2472E0AD79830DD9AC44)
    • powershell.exe (PID: 6864 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6884 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 7008 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • New variant of covid 19.exe (PID: 7152 cmdline: C:\Users\user\Desktop\New variant of covid 19.exe MD5: A489513CA0DE2472E0AD79830DD9AC44)
    • WerFault.exe (PID: 5488 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 1956 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 6692 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 6132 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 6156 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 6460 cmdline: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' MD5: A489513CA0DE2472E0AD79830DD9AC44)
      • powershell.exe (PID: 6552 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 4616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3440 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 5888 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • svchost.exe (PID: 1488 cmdline: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe MD5: A489513CA0DE2472E0AD79830DD9AC44)
  • svchost.exe (PID: 6568 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 6964 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 7112 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • svchost.exe (PID: 6988 cmdline: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' MD5: A489513CA0DE2472E0AD79830DD9AC44)
  • svchost.exe (PID: 5652 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4144 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1240 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5820 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6628 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4952 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7032 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3596 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5320 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x3df40:$s1: DoUploadAndExecute
  • 0x3e184:$s2: DoDownloadAndExecute
  • 0x3dd05:$s3: DoShellExecute
  • 0x3e13c:$s4: set_Processname
  • 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x5748:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x61ae:$op3: 00 04 03 69 91 1B 40
  • 0x69fe:$op3: 00 04 03 69 91 1B 40
0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    Process Memory Space: New variant of covid 19.exe PID: 7152JoeSecurity_QuasarYara detected Quasar RATJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.New variant of covid 19.exe.400000.0.unpackVermin_Keylogger_Jan18_1Detects Vermin KeyloggerFlorian Roth
      • 0x3ec23:$x3: GetKeyloggerLogsResponse
      • 0x3de7b:$x4: GetKeyloggerLogs
      • 0x3e153:$s1: <RunHidden>k__BackingField
      • 0x3edeb:$s2: set_SystemInfos
      • 0x3e17c:$s3: set_RunHidden
      • 0x3dcaf:$s4: set_RemotePath
      • 0x32027:$s7: xClient.Core.ReverseProxy.Packets
      10.2.New variant of covid 19.exe.400000.0.unpackxRAT_1Detects Patchwork malwareFlorian Roth
      • 0x305c0:$x4: xClient.Properties.Resources.resources
      • 0x30481:$s4: Client.exe
      • 0x3e17c:$s7: set_RunHidden
      10.2.New variant of covid 19.exe.400000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3e140:$s1: DoUploadAndExecute
      • 0x3e384:$s2: DoDownloadAndExecute
      • 0x3df05:$s3: DoShellExecute
      • 0x3e33c:$s4: set_Processname
      • 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5948:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x63ae:$op3: 00 04 03 69 91 1B 40
      • 0x6bfe:$op3: 00 04 03 69 91 1B 40
      10.2.New variant of covid 19.exe.400000.0.unpackQuasar_RAT_2Detects Quasar RATFlorian Roth
      • 0x3ec23:$x1: GetKeyloggerLogsResponse
      • 0x3ee63:$s1: DoShellExecuteResponse
      • 0x3e7d2:$s2: GetPasswordsResponse
      • 0x3ed36:$s3: GetStartupItemsResponse
      • 0x3e154:$s5: RunHidden
      • 0x3e172:$s5: RunHidden
      • 0x3e180:$s5: RunHidden
      • 0x3e194:$s5: RunHidden
      10.2.New variant of covid 19.exe.400000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x4f661:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
      • 0x4f897:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
      Click to see the 2 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Executables Started in Suspicious FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, NewProcessName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, OriginalFileName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6156, ProcessCommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , ProcessId: 6460
      Sigma detected: Execution in Non-Executable FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, NewProcessName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, OriginalFileName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6156, ProcessCommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , ProcessId: 6460
      Sigma detected: Suspicious Program Location Process StartsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, NewProcessName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, OriginalFileName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6156, ProcessCommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , ProcessId: 6460
      Sigma detected: Suspicious Svchost ProcessShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, NewProcessName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, OriginalFileName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6156, ProcessCommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , ProcessId: 6460
      Sigma detected: System File Execution Location AnomalyShow sources
      Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, NewProcessName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, OriginalFileName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6156, ProcessCommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , ProcessId: 6460
      Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
      Source: Process startedAuthor: vburov: Data: Command: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, NewProcessName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, OriginalFileName: C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6156, ProcessCommandLine: 'C:\Users\Public\Documents\sfTrQxoCTFZPN\svchost.exe' , ProcessId: 6460

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: liverpoolofcfanclub.comVirustotal: Detection: 8%Perma Link
      Source: devils.shacknet.usVirustotal: Detection: 9%Perma Link
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: New variant of covid 19.exe PID: 7152, type: MEMORY
      Source: Yara matchFile source: 10.2.New variant of covid 19.exe.400000.0.unpack, type: UNPACKEDPE
      Source: New variant of covid 19.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Networking:

      barindex
      May check the online IP address of the machineShow sources
      Source: unknownDNS query: name: ip-api.com
      Source: global trafficTCP traffic: 192.168.2.3:49717 -> 103.28.70.164:4782
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-62D0D2B15CF140C87AEA01E41DD7046D.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-75F90208612A44FA7B0856621DD5DF3A.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-59F952AF6E65CA37DF9A6DD24C3AD6F0.html HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: liverpoolofcfanclub.com
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
      Source: unknownDNS traffic detected: queries for: liverpoolofcfanclub.com
      Source: New variant of covid 19.exe, 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://api.ipify.org/
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: powershell.exe, 00000005.00000002.312490657.0000000002ED5000.00000004.00000020.sdmp, svchost.exe, 00000015.00000003.281468526.0000000000E69000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: svchost.exe, 00000012.00000003.600569565.00000213EECA1000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: New variant of covid 19.exe, 00000000.00000003.196942702.00000000059C2000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
      Source: New variant of covid 19.exe, 00000000.00000003.197794290.00000000017B3000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdE
      Source: New variant of covid 19.exe, 00000000.00000003.197444758.000000000598F000.00000004.00000001.sdmp, New variant of covid 19.exe, 00000000.00000003.196942702.00000000059C2000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: New variant of covid 19.exe, 00000000.00000003.196929354.00000000017B3000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4b6f634dedba6
      Source: New variant of covid 19.exe, 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://freegeoip.net/xml/
      Source: New variant of covid 19.exe, 0000000A.00000002.744575828.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
      Source: New variant of covid 19.exe, 0000000A.00000002.737784433.0000000000402000.00000040.00000001.sdmp, New variant of covid 19.exe, 0000000A.00000002.744575828.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/json/
      Source: svchost.exe, 00000012.00000003.600569565.00000213EECA1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
      Source: svchost.exe, 00000012.00000002.601903948.00000213F4400000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
      Source: New variant of covid 19.exe, 0000000A.00000002.744882535.0000000002F6A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
      Source: powershell.exe, 00000022.00000002.413593519.0000000004CB2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: New variant of covid 19.exe, 0000000A.00000002.744575828.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000022.00000002.413593519.0000000004CB2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: svchost.exe, 0000001B.00000002.311005148.0000022377213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
      Source: svchost.exe, 00000015.00000003.277937021.0000000000E86000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
      Source: svchost.exe, 00000018.00000002.739177943.0000017126845000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
      Source: svchost.exe, 00000018.00000002.739177943.0000017126845000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
      Source: svchost.exe, 00000018.00000002.739177943.0000017126845000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
      Source: svchost.exe, 00000018.00000002.739113278.000001712682A000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
      Source: svchost.exe, 00000018.00000002.739113278.000001712682A000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
      Source: svchost.exe, 0000001B.00000003.310012576.0000022377249000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
      Source: svchost.exe, 0000001B.00000002.311128902.000002237723D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
      Source: svchost.exe, 0000001B.00000003.309882014.000002237724E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
      Source: svchost.exe, 0000001B.00000003.287773862.0000022377231000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
      Source: svchost.exe, 0000001B.00000002.311128902.000002237723D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
      Source: svchost.exe, 0000001B.00000002.311156508.0000022377242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
      Source: svchost.exe, 0000001B.00000002.311156508.0000022377242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
      Source: svchost.exe, 0000001B.00000002.311281205.000002237725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
      Source: svchost.exe, 0000001B.00000003.310012576.0000022377249000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
      Source: svchost.exe, 0000001B.00000002.311281205.000002237725C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
      Source: svchost.exe, 0000001B.00000002.311281205.000002237725C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
      Source: svchost.exe, 0000001B.00000003.310012576.0000022377249000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
      Source: svchost.exe, 0000001B.00000003.309958248.0000022377260000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
      Source: svchost.exe, 0000001B.00000002.311128902.000002237723D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 0000001B.00000003.287773862.0000022377231000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
      Source: svchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
      Source: New variant of covid 19.exe, 00000000.00000003.207848034.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ded/script.js
      Source: svchost.exe, 00000011.00000003.281475012.000000000393A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
      Source: svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.303084080.0000000003D9A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
      Source: New variant of covid 19.exe, 00000000.00000003.202267041.000000000421A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.265515884.000000000393A000.00000004.00000001.sdmp, svchost.exe, 0000001<