Loading ...

Play interactive tourEdit tour

Analysis Report RFQ #46200058149.exe

Overview

General Information

Sample Name:RFQ #46200058149.exe
Analysis ID:383193
MD5:67b96dc502b0c7a496092d7e6d1da6c5
SHA1:a7c79eeaaafb23e8e40457cd5d44c61148cd1f5f
SHA256:ef5cb0bfe2d23b7a13b685f43dc9a100dac402023e11dce7991173bde63b298e
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w10x64
  • RFQ #46200058149.exe (PID: 5340 cmdline: 'C:\Users\user\Desktop\RFQ #46200058149.exe' MD5: 67B96DC502B0C7A496092D7E6D1DA6C5)
    • cmd.exe (PID: 5912 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5504 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • RFQ #46200058149.exe (PID: 5972 cmdline: C:\Users\user\Desktop\RFQ #46200058149.exe MD5: 67B96DC502B0C7A496092D7E6D1DA6C5)
    • WerFault.exe (PID: 5416 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 2672 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x105d5:$x1: NanoCore.ClientPluginHost
  • 0x10612:$x2: IClientNetworkHost
  • 0x14145:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1033d:$a: NanoCore
    • 0x1034d:$a: NanoCore
    • 0x10581:$a: NanoCore
    • 0x10595:$a: NanoCore
    • 0x105d5:$a: NanoCore
    • 0x1039c:$b: ClientPlugin
    • 0x1059e:$b: ClientPlugin
    • 0x105de:$b: ClientPlugin
    • 0x104c3:$c: ProjectData
    • 0x10eca:$d: DESCrypto
    • 0x18896:$e: KeepAlive
    • 0x16884:$g: LogClientMessage
    • 0x12a7f:$i: get_Connected
    • 0x11200:$j: #=q
    • 0x11230:$j: #=q
    • 0x1124c:$j: #=q
    • 0x1127c:$j: #=q
    • 0x11298:$j: #=q
    • 0x112b4:$j: #=q
    • 0x112e4:$j: #=q
    • 0x11300:$j: #=q
    00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x223f5:$x1: NanoCore.ClientPluginHost
    • 0x55015:$x1: NanoCore.ClientPluginHost
    • 0x22432:$x2: IClientNetworkHost
    • 0x55052:$x2: IClientNetworkHost
    • 0x25f65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x58b85:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.RFQ #46200058149.exe.505e448.10.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.RFQ #46200058149.exe.505e448.10.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      0.2.RFQ #46200058149.exe.505e448.10.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.RFQ #46200058149.exe.505e448.10.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        0.2.RFQ #46200058149.exe.505e448.10.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RFQ #46200058149.exe, ProcessId: 5972, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RFQ #46200058149.exe PID: 5340, type: MEMORY
        Source: Yara matchFile source: 0.2.RFQ #46200058149.exe.505e448.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RFQ #46200058149.exe.505e448.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.RFQ #46200058149.exe.5091268.0.raw.unpack, type: UNPACKEDPE
        Source: unknownHTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.5:49699 version: TLS 1.0
        Source: RFQ #46200058149.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: dhcpcsvc.pdb$ source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb3y source: RFQ #46200058149.exe, 00000007.00000003.443708855.00000000064D5000.00000004.00000001.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RFQ #46200058149.exe, 00000000.00000002.301989509.0000000005979000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb* source: RFQ #46200058149.exe, 00000000.00000002.301989509.0000000005979000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.247025053.00000000035A1000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: secur32.pdbR source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: ml.pdb? source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.247731524.0000000003595000.00000004.00000001.sdmp
        Source: Binary string: mskeyprotect.pdb=[ source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: cryptnet.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb2 source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: schannel.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: RFQ #46200058149.PDBTwB source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.247492157.00000000035A7000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RFQ #46200058149.exe, 00000000.00000002.302123092.00000000059FC000.00000004.00000001.sdmp
        Source: Binary string: shcore.pdbn source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: jVisualBasic.pdb,+K source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.259007833.00000000059A0000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdbF source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdbD source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdbZ source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: mscorsecimpl.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: imagehlp.pdbX source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: webio.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: gpapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbRSDS source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\Desktop\RFQ #46200058149.PDB/ source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdbL source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.pdb?W source: WerFault.exe, 0000000B.00000003.258734874.000000000581E000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb_ source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb source: RFQ #46200058149.exe, 00000000.00000002.301971445.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RFQ #46200058149.exe, 00000007.00000003.443708855.00000000064D5000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258734874.000000000581E000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.247025053.00000000035A1000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: urlmon.pdbh source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: secur32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.259007833.00000000059A0000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb> source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdbRSDS source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: schannel.pdb^ source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdbT3#l source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdbRSDSD source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.pdb-3853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler source: RFQ #46200058149.exe, 00000007.00000003.425042337.00000000064DB000.00000004.00000001.sdmp
        Source: Binary string: wmswsock.pdbl source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: .pdb, source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: wUxTheme.pdbt source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: jLC:\Windows\Microsoft.VisualBasic.pdb source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb8 source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdbf source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: comctl32v582.pdb=R source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb* source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb@ source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.247731524.0000000003595000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: cabinet.pdb` source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdbRSDS source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: cabinet.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb0 source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{9ac9fbe1-e0a2-4ad6-b4ee-e212013ea917}\InprocServer32 source: RFQ #46200058149.exe, 00000000.00000002.301971445.0000000005960000.00000004.00000001.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb=[ source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000003.258734874.000000000581E000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.247492157.00000000035A7000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: powrprof.pdbT source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdbz source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb8 source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49700 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49701 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49708 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49711 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49717 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49725 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49731 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49737 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49738 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49739 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49744 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49745 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49746 -> 45.15.143.169:5353
        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE6EFB3AED9F05224C930BEF8BE1CC20.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 172.67.150.212 172.67.150.212
        Source: Joe Sandbox ViewASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
        Source: unknownHTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.5:49699 version: TLS 1.0
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE6EFB3AED9F05224C930BEF8BE1CC20.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
        Source: unknownDNS traffic detected: queries for: myliverpoolnews.cf
        Source: RFQ #46200058149.exe, 00000000.00000002.296584123.00000000032E4000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
        Source: RFQ #46200058149.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: RFQ #46200058149.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: RFQ #46200058149.exe, 00000000.00000002.296584123.00000000032E4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
        Source: RFQ #46200058149.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: RFQ #46200058149.exe, 00000000.00000002.302123092.00000000059FC000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
        Source: RFQ #46200058149.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: RFQ #46200058149.exe, 00000000.00000002.296584123.00000000032E4000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
        Source: RFQ #46200058149.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: RFQ #46200058149.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: RFQ #46200058149.exe, 00000000.00000002.296513368.0000000003291000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf
        Source: RFQ #46200058149.exe, 00000000.00000002.296513368.0000000003291000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-
        Source: RFQ #46200058149.exe, 00000000.00000002.296584123.00000000032E4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: RFQ #46200058149.exe, 00000000.00000002.302123092.00000000059FC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: RFQ #46200058149.exeString found in binary or memory: http://ocsp.digicert.com0C
        Source: RFQ #46200058149.exeString found in binary or memory: http://ocsp.digicert.com0O
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
        Source: RFQ #46200058149.exe, 00000000.00000002.296513368.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
        Source: RFQ #46200058149.exeString found in binary or memory: http://www.digicert.com/CPS0
        Source: RFQ #46200058149.exe, 00000000.00000002.296584123.00000000032E4000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ded/script.js
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
        Source: RFQ #46200058149.exe, 00000000.00000002.296563326.00000000032CF000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal
        Source: RFQ #46200058149.exe, 00000000.00000002.296563326.00000000032CF000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf4
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://quantcast.mgr.consensu.org
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
        Source: RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com
        Source: RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
        Source: RFQ #46200058149.exeString found in binary or memory: https://www.digicert.com/CPS0
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
        Source: RFQ #462